CVE-2026-14534 (GCVE-0-2026-14534)

Vulnerability from cvelistv5 – Published: 2026-07-04 13:25 – Updated: 2026-07-04 13:25
VLAI
Title
Fickling check_safety() bypass via unlisted standard library modules (_posixsubprocess, site, atexit)
Summary
Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.
CWE
  • CWE-184 - Incomplete List of Disallowed Inputs
  • CWE-502 - Deserialization of Untrusted Data
Assigner
Impacted products
Vendor Product Version
trailofbits fickling Affected: 0 , ≤ 0.1.10 (custom)
Unaffected: 0.1.11 (custom)
Create a notification for this product.
Date Public
2026-06-28 00:08
Credits
Christopher Aziz (Bombadil Systems LLC)
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/fickling/",
          "defaultStatus": "unaffected",
          "packageName": "fickling",
          "product": "fickling",
          "vendor": "trailofbits",
          "versions": [
            {
              "lessThanOrEqual": "0.1.10",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "0.1.11",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Christopher Aziz (Bombadil Systems LLC)"
        }
      ],
      "datePublic": "2026-06-28T00:08:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTrail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling\u0027s check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.\u003c/p\u003e"
            }
          ],
          "value": "Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling\u0027s check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker can craft a malicious pickle file that invokes _posixsubprocess.fork_exec to spawn arbitrary processes. When a victim\u0027s ML pipeline passes this file through fickling.load(), fickling classifies it as LIKELY_SAFE and deserializes it, executing attacker-controlled code with the privileges of the victim process."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-184",
              "description": "CWE-184 Incomplete List of Disallowed Inputs",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502 Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-04T13:25:55.283Z",
        "orgId": "aa17e1a1-c329-4d6e-a1ed-8d0188aea082",
        "shortName": "BombadilSystems"
      },
      "references": [
        {
          "name": "GitHub Security Advisory GHSA-m6fh-58r7-x697",
          "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-m6fh-58r7-x697"
        },
        {
          "name": "Fix PR #272",
          "url": "https://github.com/trailofbits/fickling/pull/272"
        },
        {
          "name": "Fix commit e840861",
          "url": "https://github.com/trailofbits/fickling/commit/e8408615b63adf034f891f653692ab9b51f0f5af"
        },
        {
          "name": "Fickling v0.1.11 release",
          "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.11"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Fickling check_safety() bypass via unlisted standard library modules (_posixsubprocess, site, atexit)",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "aa17e1a1-c329-4d6e-a1ed-8d0188aea082",
    "assignerShortName": "BombadilSystems",
    "cveId": "CVE-2026-14534",
    "datePublished": "2026-07-04T13:25:55.283Z",
    "dateReserved": "2026-07-03T00:02:49.289Z",
    "dateUpdated": "2026-07-04T13:25:55.283Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-14534\",\"sourceIdentifier\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\",\"published\":\"2026-07-04T14:16:28.400\",\"lastModified\":\"2026-07-04T14:16:28.400\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling\u0027s check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.\"}],\"affected\":[{\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\",\"affectedData\":[{\"vendor\":\"trailofbits\",\"product\":\"fickling\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://pypi.org/project/fickling/\",\"packageName\":\"fickling\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"0.1.10\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"0.1.11\",\"versionType\":\"custom\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-184\"},{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://github.com/trailofbits/fickling/commit/e8408615b63adf034f891f653692ab9b51f0f5af\",\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\"},{\"url\":\"https://github.com/trailofbits/fickling/pull/272\",\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\"},{\"url\":\"https://github.com/trailofbits/fickling/releases/tag/v0.1.11\",\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\"},{\"url\":\"https://github.com/trailofbits/fickling/security/advisories/GHSA-m6fh-58r7-x697\",\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…