CVE-2026-14534 in fickling
Summary
by MITRE • 07/04/2026
Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/04/2026
The vulnerability in Trail of Bits fickling versions up to and including 0110 stems from an incomplete security implementation that fails to properly safeguard against dangerous Python standard library modules during pickle deserialization. This flaw represents a critical oversight in the tool's safety checking mechanism, where the UNSAFE_IMPORTS denylist in ficklepy lacks essential modules including _posixsubprocess site and atexit which are all capable of executing arbitrary code when invoked through pickle payloads. The technical root cause lies in the check_safety function which returns LIKELY_SAFE verdicts for payloads containing these modules despite their inherent dangerous capabilities.
The operational impact of this vulnerability is severe as it allows malicious pickle payloads to bypass safety checks entirely. When fickling.load() API processes such payloads, it chains check_safety() into pickle.loads() creating an explicit security gate that can be circumvented by the absence of these critical modules from the denylist. The _posixsubprocess.fork_exec function specifically presents a significant risk as it operates at C-level allowing execution of arbitrary binaries, while site.execsitecustomize enables arbitrary site customization code execution and atexit._run_exitfuncs triggers all registered exit handler callbacks that could contain malicious code. These three modules collectively represent multiple attack vectors that can be exploited through carefully crafted pickle data.
This vulnerability shares the same fundamental root cause as other security issues affecting similar Python serialization tools including CVE-2026-22607 for cProfile CVE-2025-67748 for pty and CVE-2025-67747 for marshal types. The pattern demonstrates a systemic problem in how these tools handle standard library imports that may contain dangerous functionality but are not explicitly denied due to their inclusion in the Python standard library. The security mechanisms fail because OvertlyBadEvals does not flag these modules as they are legitimate standard library imports while UnsafeImports fails to detect them since they remain unlisted in the denylist. Additionally the UnusedVariables heuristic is defeated by SETITEMS opcode patterns that obscure the malicious intent of these dangerous imports.
The mitigation strategy requires immediate updates to the UNSAFE_IMPORTS denylist to include _posixsubprocess site and atexit modules along with comprehensive review of all standard library imports that could potentially be exploited in deserialization attacks. Security teams should implement additional verification layers beyond simple denylisting including dynamic analysis of imported module behavior and runtime monitoring for suspicious activities. Organizations using fickling or similar tools should conduct immediate security assessments to identify any potential exploitation of this vulnerability and update their tooling to the patched versions that properly address these missing security checks. This vulnerability demonstrates the critical importance of comprehensive security testing and the need for security mechanisms to account for all potential attack vectors rather than relying on incomplete denylists. The flaw also highlights the importance of understanding how different Python opcodes and import patterns can be used to evade detection systems, as evidenced by the SETITEMS opcode pattern defeating the UnusedVariables heuristic.