CVE-2026-14535
Received Received - Intake

UnsafeImportsML Analysis Bypass via Shared State in fickling

Vulnerability report for CVE-2026-14535, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: aa17e1a1-c329-4d6e-a1ed-8d0188aea082

Description

In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports β€” it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling's check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes β€” UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist's deduplication logic.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-04
AI Q&A
2026-07-04
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
trailofbits fickling to 0.1.11 (inc)
trailofbits fickling 0.1.12

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14535 is a security vulnerability in the fickling project (versions up to 0.1.11) caused by shared mutable state between two analysis passes: UnsafeImportsML and MLAllowlist. The UnsafeImportsML pass calls a function that marks all import nodes as already reported in a shared set, which causes the MLAllowlist pass to skip its checks entirely. As a result, MLAllowlist, which is designed to catch unsafe imports outside a known-safe machine learning ecosystem, becomes ineffective and dead code. This allows unsafe imports to bypass security checks during pickle deserialization, potentially enabling execution of unsafe code.

Impact Analysis

This vulnerability can impact you by allowing unsafe or unauthorized code imports to bypass security checks during pickle deserialization in the fickling library. Since the MLAllowlist check is disabled, any standard library module not explicitly denied can be deserialized and executed, potentially leading to remote code execution or other malicious behavior. This increases the risk of executing harmful payloads when loading pickled data, compromising system integrity, confidentiality, and availability.

Detection Guidance

This vulnerability can be detected by explicitly enabling and running the MLAllowlist analysis pass during the safety check process in fickling. Since MLAllowlist is opt-in after the fix, users should run check_safety() with MLAllowlist enabled to properly scan for unsafe imports that could be exploited.

A suggested command to detect this vulnerability is to run the check_safety function with the MLAllowlist analyzer explicitly passed, for example:

  • check_safety(analyzer=[MLAllowlist()])

This command ensures that the MLAllowlist pass is active and can detect imports outside the known-safe ML ecosystem that might otherwise be missed due to the shared state issue.

Mitigation Strategies

The immediate mitigation step is to upgrade fickling to version 0.1.12 or later, where the vulnerability has been fixed.

Additionally, after upgrading, users must explicitly enable the MLAllowlist analysis pass by passing it as a parameter to the check_safety() function, for example:

  • check_safety(analyzer=[MLAllowlist()])

This ensures that the MLAllowlist check is performed correctly and prevents unsafe imports from bypassing security checks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14535. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart