CVE-2026-14535 (GCVE-0-2026-14535)

Vulnerability from cvelistv5 – Published: 2026-07-04 13:31 – Updated: 2026-07-04 13:31
VLAI
Title
Fickling MLAllowlist analysis pass rendered inoperative by shared mutable state in AnalysisContext.shorten_code()
Summary
In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports — it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling's check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes — UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist's deduplication logic.
CWE
  • CWE-693 - Protection Mechanism Failure
Assigner
Impacted products
Vendor Product Version
trailofbits fickling Affected: 0 , ≤ 0.1.11 (custom)
Unaffected: 0.1.12 (custom)
Create a notification for this product.
Date Public
2026-06-28 00:08
Credits
Christopher Aziz (Bombadil Systems LLC)
Show details on NVD website

{
  "containers": {
    "cna": {
      "affected": [
        {
          "collectionURL": "https://pypi.org/project/fickling/",
          "defaultStatus": "unaffected",
          "packageName": "fickling",
          "product": "fickling",
          "vendor": "trailofbits",
          "versions": [
            {
              "lessThanOrEqual": "0.1.11",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            },
            {
              "status": "unaffected",
              "version": "0.1.12",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Christopher Aziz (Bombadil Systems LLC)"
        }
      ],
      "datePublic": "2026-06-28T00:08:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eIn Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports \u2014 it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling\u0027s check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes \u2014 UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist\u0027s deduplication logic.\u003c/p\u003e"
            }
          ],
          "value": "In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports \u2014 it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling\u0027s check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes \u2014 UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist\u0027s deduplication logic."
        }
      ],
      "impacts": [
        {
          "descriptions": [
            {
              "lang": "en",
              "value": "An attacker can craft a malicious pickle file that imports any standard library module not in fickling\u0027s UNSAFE_IMPORTS denylist. Because the MLAllowlist check is silently skipped due to shared state pollution from UnsafeImportsML, fickling\u0027s check_safety() returns LIKELY_SAFE. When used with fickling.load(), the payload is deserialized and arbitrary code executes in the victim\u0027s environment. This is distinct from denylist incompleteness (CWE-184) because the allowlist mechanism was specifically designed to catch imports that the denylist misses, and a code defect renders it entirely inoperative."
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-693",
              "description": "CWE-693 Protection Mechanism Failure",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-07-04T13:31:14.937Z",
        "orgId": "aa17e1a1-c329-4d6e-a1ed-8d0188aea082",
        "shortName": "BombadilSystems"
      },
      "references": [
        {
          "name": "GitHub Security Advisory GHSA-cffv-grgg-g429",
          "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-cffv-grgg-g429"
        },
        {
          "name": "Fix PR #278 \u2014 Split shorten_code() formatting from dedup tracking, make MLAllowlist opt-in",
          "url": "https://github.com/trailofbits/fickling/pull/278"
        },
        {
          "name": "Fix commit 41ce7cb (squash merge of PR #278)",
          "url": "https://github.com/trailofbits/fickling/commit/41ce7cb01edd97072994039574a2301ebb3f463d"
        },
        {
          "name": "Fickling v0.1.12 release",
          "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.12"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Fickling MLAllowlist analysis pass rendered inoperative by shared mutable state in AnalysisContext.shorten_code()",
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "aa17e1a1-c329-4d6e-a1ed-8d0188aea082",
    "assignerShortName": "BombadilSystems",
    "cveId": "CVE-2026-14535",
    "datePublished": "2026-07-04T13:31:14.937Z",
    "dateReserved": "2026-07-03T00:02:55.918Z",
    "dateUpdated": "2026-07-04T13:31:14.937Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-14535\",\"sourceIdentifier\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\",\"published\":\"2026-07-04T14:16:29.063\",\"lastModified\":\"2026-07-04T14:16:29.063\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports \u2014 it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling\u0027s check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes \u2014 UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist\u0027s deduplication logic.\"}],\"affected\":[{\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\",\"affectedData\":[{\"vendor\":\"trailofbits\",\"product\":\"fickling\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://pypi.org/project/fickling/\",\"packageName\":\"fickling\",\"versions\":[{\"version\":\"0\",\"lessThanOrEqual\":\"0.1.11\",\"versionType\":\"custom\",\"status\":\"affected\"},{\"version\":\"0.1.12\",\"versionType\":\"custom\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-693\"}]}],\"references\":[{\"url\":\"https://github.com/trailofbits/fickling/commit/41ce7cb01edd97072994039574a2301ebb3f463d\",\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\"},{\"url\":\"https://github.com/trailofbits/fickling/pull/278\",\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\"},{\"url\":\"https://github.com/trailofbits/fickling/releases/tag/v0.1.12\",\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\"},{\"url\":\"https://github.com/trailofbits/fickling/security/advisories/GHSA-cffv-grgg-g429\",\"source\":\"aa17e1a1-c329-4d6e-a1ed-8d0188aea082\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…