Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-14534
PUBLISHED
More InfoOfficial Page
Assigner-BombadilSystems
Assigner Org ID-aa17e1a1-c329-4d6e-a1ed-8d0188aea082
View Known Exploited Vulnerability (KEV) details
Published At-04 Jul, 2026 | 13:25
Updated At-04 Jul, 2026 | 13:25
Rejected At-
▼CVE Numbering Authority (CNA)
Fickling check_safety() bypass via unlisted standard library modules (_posixsubprocess, site, atexit)

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.

Affected Products
Vendor
trailofbits
Product
fickling
Collection URL
https://pypi.org/project/fickling/
Package Name
fickling
Default Status
unaffected
Versions
Affected
  • From 0 through 0.1.10 (custom)
Unaffected
  • 0.1.11 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-184CWE-184 Incomplete List of Disallowed Inputs
CWECWE-502CWE-502 Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-184
Description: CWE-184 Incomplete List of Disallowed Inputs
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
N/AAn attacker can craft a malicious pickle file that invokes _posixsubprocess.fork_exec to spawn arbitrary processes. When a victim's ML pipeline passes this file through fickling.load(), fickling classifies it as LIKELY_SAFE and deserializes it, executing attacker-controlled code with the privileges of the victim process.
CAPEC ID: N/A
Description: An attacker can craft a malicious pickle file that invokes _posixsubprocess.fork_exec to spawn arbitrary processes. When a victim's ML pipeline passes this file through fickling.load(), fickling classifies it as LIKELY_SAFE and deserializes it, executing attacker-controlled code with the privileges of the victim process.
Solutions

Configurations

Workarounds

Exploits

Credits

finder
Christopher Aziz (Bombadil Systems LLC)
Timeline
EventDate
Replaced By

Rejected Reason

References
HyperlinkResource
https://github.com/trailofbits/fickling/security/advisories/GHSA-m6fh-58r7-x697
N/A
https://github.com/trailofbits/fickling/pull/272
N/A
https://github.com/trailofbits/fickling/commit/e8408615b63adf034f891f653692ab9b51f0f5af
N/A
https://github.com/trailofbits/fickling/releases/tag/v0.1.11
N/A
Hyperlink: https://github.com/trailofbits/fickling/security/advisories/GHSA-m6fh-58r7-x697
Resource: N/A
Hyperlink: https://github.com/trailofbits/fickling/pull/272
Resource: N/A
Hyperlink: https://github.com/trailofbits/fickling/commit/e8408615b63adf034f891f653692ab9b51f0f5af
Resource: N/A
Hyperlink: https://github.com/trailofbits/fickling/releases/tag/v0.1.11
Resource: N/A
Details not found