Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities
CVE-2026-14535 (GCVE-0-2026-14535)
Vulnerability from cvelistv5 – Published: 2026-07-04 13:31 – Updated: 2026-07-04 13:31
VLAI
Title
Fickling MLAllowlist analysis pass rendered inoperative by shared mutable state in AnalysisContext.shorten_code()
Summary
In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports — it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling's check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes — UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist's deduplication logic.
Severity
8.8 (High)
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| trailofbits | fickling |
Affected:
0 , ≤ 0.1.11
(custom)
Unaffected: 0.1.12 (custom) |
Date Public
2026-06-28 00:08
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/fickling/",
"defaultStatus": "unaffected",
"packageName": "fickling",
"product": "fickling",
"vendor": "trailofbits",
"versions": [
{
"lessThanOrEqual": "0.1.11",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "0.1.12",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christopher Aziz (Bombadil Systems LLC)"
}
],
"datePublic": "2026-06-28T00:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIn Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports \u2014 it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling\u0027s check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes \u2014 UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist\u0027s deduplication logic.\u003c/p\u003e"
}
],
"value": "In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports \u2014 it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling\u0027s check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes \u2014 UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist\u0027s deduplication logic."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker can craft a malicious pickle file that imports any standard library module not in fickling\u0027s UNSAFE_IMPORTS denylist. Because the MLAllowlist check is silently skipped due to shared state pollution from UnsafeImportsML, fickling\u0027s check_safety() returns LIKELY_SAFE. When used with fickling.load(), the payload is deserialized and arbitrary code executes in the victim\u0027s environment. This is distinct from denylist incompleteness (CWE-184) because the allowlist mechanism was specifically designed to catch imports that the denylist misses, and a code defect renders it entirely inoperative."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693 Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T13:31:14.937Z",
"orgId": "aa17e1a1-c329-4d6e-a1ed-8d0188aea082",
"shortName": "BombadilSystems"
},
"references": [
{
"name": "GitHub Security Advisory GHSA-cffv-grgg-g429",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-cffv-grgg-g429"
},
{
"name": "Fix PR #278 \u2014 Split shorten_code() formatting from dedup tracking, make MLAllowlist opt-in",
"url": "https://github.com/trailofbits/fickling/pull/278"
},
{
"name": "Fix commit 41ce7cb (squash merge of PR #278)",
"url": "https://github.com/trailofbits/fickling/commit/41ce7cb01edd97072994039574a2301ebb3f463d"
},
{
"name": "Fickling v0.1.12 release",
"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.12"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Fickling MLAllowlist analysis pass rendered inoperative by shared mutable state in AnalysisContext.shorten_code()",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "aa17e1a1-c329-4d6e-a1ed-8d0188aea082",
"assignerShortName": "BombadilSystems",
"cveId": "CVE-2026-14535",
"datePublished": "2026-07-04T13:31:14.937Z",
"dateReserved": "2026-07-03T00:02:55.918Z",
"dateUpdated": "2026-07-04T13:31:14.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14534 (GCVE-0-2026-14534)
Vulnerability from cvelistv5 – Published: 2026-07-04 13:25 – Updated: 2026-07-04 13:25
VLAI
Title
Fickling check_safety() bypass via unlisted standard library modules (_posixsubprocess, site, atexit)
Summary
Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.
Severity
8.8 (High)
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| trailofbits | fickling |
Affected:
0 , ≤ 0.1.10
(custom)
Unaffected: 0.1.11 (custom) |
Date Public
2026-06-28 00:08
Credits
{
"containers": {
"cna": {
"affected": [
{
"collectionURL": "https://pypi.org/project/fickling/",
"defaultStatus": "unaffected",
"packageName": "fickling",
"product": "fickling",
"vendor": "trailofbits",
"versions": [
{
"lessThanOrEqual": "0.1.10",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"status": "unaffected",
"version": "0.1.11",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Christopher Aziz (Bombadil Systems LLC)"
}
],
"datePublic": "2026-06-28T00:08:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eTrail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling\u0027s check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.\u003c/p\u003e"
}
],
"value": "Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling\u0027s check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern."
}
],
"impacts": [
{
"descriptions": [
{
"lang": "en",
"value": "An attacker can craft a malicious pickle file that invokes _posixsubprocess.fork_exec to spawn arbitrary processes. When a victim\u0027s ML pipeline passes this file through fickling.load(), fickling classifies it as LIKELY_SAFE and deserializes it, executing attacker-controlled code with the privileges of the victim process."
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-184",
"description": "CWE-184 Incomplete List of Disallowed Inputs",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T13:25:55.283Z",
"orgId": "aa17e1a1-c329-4d6e-a1ed-8d0188aea082",
"shortName": "BombadilSystems"
},
"references": [
{
"name": "GitHub Security Advisory GHSA-m6fh-58r7-x697",
"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-m6fh-58r7-x697"
},
{
"name": "Fix PR #272",
"url": "https://github.com/trailofbits/fickling/pull/272"
},
{
"name": "Fix commit e840861",
"url": "https://github.com/trailofbits/fickling/commit/e8408615b63adf034f891f653692ab9b51f0f5af"
},
{
"name": "Fickling v0.1.11 release",
"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.11"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Fickling check_safety() bypass via unlisted standard library modules (_posixsubprocess, site, atexit)",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "aa17e1a1-c329-4d6e-a1ed-8d0188aea082",
"assignerShortName": "BombadilSystems",
"cveId": "CVE-2026-14534",
"datePublished": "2026-07-04T13:25:55.283Z",
"dateReserved": "2026-07-03T00:02:49.289Z",
"dateUpdated": "2026-07-04T13:25:55.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}