CVE-2026-14534
Received Received - Intake

Pickle Deserialization Flaw in Fickling

Vulnerability report for CVE-2026-14534, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: aa17e1a1-c329-4d6e-a1ed-8d0188aea082

Description

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
trail_of_bits fickling to 0.1.10 (inc)
trail_of_bits fickling From 0.1.11 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-184 The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14534 is a security vulnerability in the fickling package (versions up to and including 0.1.10) where certain Python standard library modules (_posixsubprocess, site, and atexit) were missing from the UNSAFE_IMPORTS denylist. Because these modules were not blocked, the check_safety() function incorrectly marked pickle payloads invoking dangerous functions from these modules as LIKELY_SAFE, allowing unsafe deserialization and execution of potentially malicious code.

This flaw allows attackers to bypass safety checks and execute arbitrary code through pickle payloads that use these modules to perform actions like spawning processes, executing site customization code, or triggering exit handler callbacks.

Impact Analysis

This vulnerability can lead to remote code execution by allowing malicious pickle payloads to bypass security checks and execute arbitrary commands or code on the affected system.

  • Arbitrary process spawning via _posixsubprocess.fork_exec.
  • Execution of arbitrary site customization code through the site module.
  • Triggering of exit handler callbacks using the atexit module, potentially leading to unintended code execution.

Overall, this can compromise the confidentiality, integrity, and availability of the system running the vulnerable version of fickling.

Detection Guidance

This vulnerability involves the fickling package versions up to 0.1.10 not including certain standard library modules (_posixsubprocess, site, atexit) in its UNSAFE_IMPORTS denylist, allowing malicious pickle payloads to bypass safety checks.

To detect this vulnerability on your system, you should first check the version of the fickling package installed. If it is version 0.1.10 or earlier, it is vulnerable.

You can run the following command to check the installed version of fickling:

  • pip show fickling

Additionally, to detect if unsafe pickle payloads exploiting this vulnerability are being deserialized, you can monitor logs or network traffic for suspicious pickle deserialization activities, especially those invoking modules like _posixsubprocess, site, or atexit.

Since the vulnerability is related to the check_safety() function returning LIKELY_SAFE incorrectly, you may also consider running security scans or tests with known proof-of-concept payloads that exploit these modules to verify if your system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade the fickling package to version 0.1.11 or later, where the UNSAFE_IMPORTS blocklist has been expanded to include the missing modules (_posixsubprocess, site, atexit) that caused the vulnerability.

You can upgrade fickling using the following command:

  • pip install --upgrade fickling

This update addresses the vulnerability by blocking dangerous imports that could lead to arbitrary code execution or other malicious activities.

Additionally, review your use of pickle deserialization in your applications and consider implementing additional security measures such as restricting or validating pickle inputs, or using safer serialization alternatives.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14534. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart