<Vulnerability name="CVE-2026-14535">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-04T13:31:14</PublicDate>
    <Bugzilla id="2497049" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497049" xml:lang="en:us">
fickling: Fickling: Arbitrary code execution via pickle deserialization bypass
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>8.8</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-693</CWE>
    <Details xml:lang="en:us" source="Mitre">
In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports — it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling's check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes — UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist's deduplication logic.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in the fickling library, versions up to and including 0.1.11. A logic error in the security analysis passes allows an attacker to bypass intended safety checks during `pickle` deserialization. This vulnerability enables the invocation of arbitrary standard library modules, leading to the execution of malicious code. The `fickling.load()` API, designed as a security gate, incorrectly reports payloads as safe, allowing them to be deserialized and executed.
    </Details>
    <Statement xml:lang="en:us">
A flaw was found in Trail of Bits fickling versions through 0.1.11, where a logic error in the security analysis pipeline silently disables the MLAllowlist safety check. The UnsafeImportsML pass inadvertently populates the shared reported_shortened_code set for all imports, causing the MLAllowlist pass to skip its allowlist evaluation entirely. This allows standard library modules outside the denylist to pass check_safety() as LIKELY_SAFE, enabling arbitrary code execution when fickling.load() proceeds with deserialization. The upstream advisory rates this as Moderate severity; Red Hat's assessment reflects the arbitrary code execution impact in the CVSS score.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:exploit_intelligence:0">
        <ProductName>Exploit Intelligence</ProductName>
        <FixState>Affected</FixState>
        <PackageName>exploit-intelligence-tech-preview/vulnerability-analysis-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-14535
https://nvd.nist.gov/vuln/detail/CVE-2026-14535
https://github.com/trailofbits/fickling/commit/41ce7cb01edd97072994039574a2301ebb3f463d
https://github.com/trailofbits/fickling/pull/278
https://github.com/trailofbits/fickling/releases/tag/v0.1.12
https://github.com/trailofbits/fickling/security/advisories/GHSA-cffv-grgg-g429
    </References>
</Vulnerability>