<Vulnerability name="CVE-2026-14534">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-04T13:25:55</PublicDate>
    <Bugzilla id="2497046" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497046" xml:lang="en:us">
fickling: python: fickling: Arbitrary code execution due to incomplete denylist in deserialization
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>8.8</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-184</CWE>
    <Details xml:lang="en:us" source="Mitre">
Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in the `fickling` library, which is designed to safely handle Python pickle data. The library's security checks in versions up to and including 0.1.10 fail to properly identify and block certain dangerous Python standard library modules during deserialization. This oversight allows a remote attacker to craft a malicious data payload that, when processed, can execute arbitrary code on the system, potentially leading to full system compromise.
    </Details>
    <Statement xml:lang="en:us">
A flaw was found in Trail of Bits fickling versions through 0.1.10, where the UNSAFE_IMPORTS denylist is missing the Python standard library modules _posixsubprocess, site, and atexit. This allows a crafted pickle payload to invoke dangerous functions such as _posixsubprocess.fork_exec (arbitrary binary execution), site.execsitecustomize (arbitrary code execution), and atexit._run_exitfuncs (triggering all registered exit handlers) while fickling's check_safety() returns LIKELY_SAFE.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:exploit_intelligence:0">
        <ProductName>Exploit Intelligence</ProductName>
        <FixState>Affected</FixState>
        <PackageName>exploit-intelligence-tech-preview/vulnerability-analysis-rhel9</PackageName>
    </PackageState>
    <PackageState impact="important" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Affected</FixState>
        <PackageName>python3.11</PackageName>
    </PackageState>
    <PackageState impact="important" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Affected</FixState>
        <PackageName>python3.12</PackageName>
    </PackageState>
    <PackageState impact="important" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Affected</FixState>
        <PackageName>python3.13</PackageName>
    </PackageState>
    <PackageState impact="important" cpe="cpe:/a:redhat:hummingbird:1">
        <ProductName>Red Hat Hardened Images</ProductName>
        <FixState>Affected</FixState>
        <PackageName>python3.14</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-14534
https://nvd.nist.gov/vuln/detail/CVE-2026-14534
https://github.com/trailofbits/fickling/commit/e8408615b63adf034f891f653692ab9b51f0f5af
https://github.com/trailofbits/fickling/pull/272
https://github.com/trailofbits/fickling/releases/tag/v0.1.11
https://github.com/trailofbits/fickling/security/advisories/GHSA-m6fh-58r7-x697
    </References>
</Vulnerability>