CVE-2026-14534
HighCVSS 8.8Summary
The vulnerability in fickling up to version 0.1.10 is due to missing Python standard library modules (_posixsubprocess, site, atexit) from the UNSAFE_IMPORTS denylist. This causes check_safety() to incorrectly classify malicious pickle payloads as LIKELY_SAFE, allowing deserialization and execution of dangerous functions like fork_exec, execsitecustomize, or _run_exitfuncs.
Risk Assessment
An attacker can remotely execute arbitrary binary code or Python scripts on the server, leading to full system compromise, data theft, or service disruption.
Recommendation
Immediately update fickling to version 0.1.11 or later, which includes the corrected UNSAFE_IMPORTS list. Until updated, avoid using fickling.load() to deserialize untrusted data.
Original NVD description (English source)
Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.

