highCVE-2026-14534

CVE-2026-14534 fickling vulnerability

Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.

Productfickling
CVSS8.8
EPSSNot scored yet
UpdatedJuly 13, 2026

Quick answer

trailofbits fickling should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • Review vendor advisory for affected versions.

Fixed versions

  • Apply the latest vendor-supported patched version.

How to fix it

CVE-2026-14534 affects Trail of Bits Fickling pickle-safety analysis. Upgrade to 0.1.11, verify patch e8408615b63a is included, and do not treat Fickling verdicts as a standalone authorization gate for untrusted pickle execution. Affected ranges in the local record are through 0.1.10.

  1. Inventory Python services, notebooks, ML pipelines, upload processors, CI jobs, and scanning tools that import Fickling or run pickle safety checks.
  2. Find workflows where untrusted pickle, model, or serialized Python files can reach Fickling and then be loaded by pickle, torch, joblib, or similar APIs.
  3. Upgrade Fickling to 0.1.11, or rebuild from an upstream revision that includes patch e8408615b63a.
  4. Pin and rebuild Python environments, containers, lockfiles, and worker images so older Fickling versions are removed from direct and transitive dependencies.
  5. Block automatic deserialization of untrusted pickle payloads; require allowlisted sources, detached signature checks, and sandboxed analysis.
  6. Review logs and stored uploads for suspicious pickle payloads, unsafe imports, unexpected allowlist bypasses, or attempted process execution.
  7. Deploy patched workers to staging first, run malicious pickle regression samples, then promote to production with monitoring for deserialization alerts.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm package metadata shows Fickling 0.1.11 or a later patched build everywhere it is installed.
  • Run regression payloads that exercise unsafe imports and ML allowlist paths and confirm Fickling reports them instead of returning likely safe.
  • Check containers, virtual environments, and notebooks to ensure no older Fickling copy remains earlier in PYTHONPATH.
  • Open the generated Fixnx page and confirm the canonical URL ends with fickling-cve-2026-14534.
  • Re-run sitemap validation and confirm fickling-cve-2026-14534 appears once in sitemap.xml with the full CVE-2026-14534 suffix.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-14534?

trailofbits fickling should be checked against the vendor advisory and trusted references linked on this page.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

How are Fixnx security risk categories chosen?

Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.