CVE-2026-14535 fickling vulnerability
In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports — it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling's check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes — UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist's deduplication logic.
Quick answer
trailofbits fickling should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Review vendor advisory for affected versions.
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
CVE-2026-14535 affects Trail of Bits Fickling pickle-safety analysis. Upgrade to 0.1.12, verify patch 41ce7cb01edd is included, and do not treat Fickling verdicts as a standalone authorization gate for untrusted pickle execution. Affected ranges in the local record are through 0.1.11.
- Inventory Python services, notebooks, ML pipelines, upload processors, CI jobs, and scanning tools that import Fickling or run pickle safety checks.
- Find workflows where untrusted pickle, model, or serialized Python files can reach Fickling and then be loaded by pickle, torch, joblib, or similar APIs.
- Upgrade Fickling to 0.1.12, or rebuild from an upstream revision that includes patch 41ce7cb01edd.
- Pin and rebuild Python environments, containers, lockfiles, and worker images so older Fickling versions are removed from direct and transitive dependencies.
- Block automatic deserialization of untrusted pickle payloads; require allowlisted sources, detached signature checks, and sandboxed analysis.
- Review logs and stored uploads for suspicious pickle payloads, unsafe imports, unexpected allowlist bypasses, or attempted process execution.
- Deploy patched workers to staging first, run malicious pickle regression samples, then promote to production with monitoring for deserialization alerts.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm package metadata shows Fickling 0.1.12 or a later patched build everywhere it is installed.
- Run regression payloads that exercise unsafe imports and ML allowlist paths and confirm Fickling reports them instead of returning likely safe.
- Check containers, virtual environments, and notebooks to ensure no older Fickling copy remains earlier in PYTHONPATH.
- Open the generated Fixnx page and confirm the canonical URL ends with fickling-cve-2026-14535.
- Re-run sitemap validation and confirm fickling-cve-2026-14535 appears once in sitemap.xml with the full CVE-2026-14535 suffix.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-14535?
trailofbits fickling should be checked against the vendor advisory and trusted references linked on this page.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
