Skip to main content

fickling EUVDEUVD-2026-41676

| CVE-2026-14535 CRITICAL
Protection Mechanism Failure (CWE-693)
2026-07-04 BombadilSystems GHSA-mgx3-9w7v-8674
9.8
CVSS 3.1 · NVD
Share

Severity by source

Vendor (BombadilSystems) PRIMARY
HIGH
qualitative
NVD
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Failure of fickling's safety gate lets an attacker-supplied pickle achieve full code execution during automated ML model loading, so AV:N/AC:L/PR:N/UI:N with total C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (BombadilSystems).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Updated
Jul 10, 2026 - 15:14 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 10, 2026 - 15:14 vuln.today
Analysis Updated
Jul 10, 2026 - 15:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 10, 2026 - 15:07 vuln.today
cvss_changed
Severity Changed
Jul 10, 2026 - 15:07 NVD
HIGH CRITICAL
CVSS changed
Jul 10, 2026 - 15:07 NVD
8.8 (HIGH) 9.8 (CRITICAL)
Analysis Generated
Jul 04, 2026 - 14:19 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 61 pypi packages depend on fickling (9 direct, 53 indirect)

Ecosystem-wide dependent count for version 0.1.12.

DescriptionNVD

In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports - it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling's check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes - UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist's deduplication logic.

AnalysisAI

Security-control bypass in Trail of Bits fickling (≤0.1.11) neuters its MLAllowlist analysis pass so that malicious pickle files pass fickling's check_safety() gate as LIKELY_SAFE, enabling arbitrary code execution when fickling.load() deserializes them. Because UnsafeImportsML pre-registers every import in the shared reported_shortened_code set, MLAllowlist always short-circuits and never validates imports against the known-safe ML ecosystem, so any standard-library module outside the UNSAFE_IMPORTS denylist can be smuggled through. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft pickle with non-denylisted stdlib import
Delivery
Deliver as model file to victim
Exploit
Victim runs fickling.load() safety gate
Install
MLAllowlist check silently skipped
C2
check_safety() returns LIKELY_SAFE
Execute
pickle.loads() executes payload
Impact
Arbitrary code execution on host

Vulnerability AssessmentAI

Exploitation Exploitation requires that the victim uses fickling ≤0.1.11 as a security gate-specifically fickling.load() or check_safety()-on an attacker-controlled pickle, and that the malicious payload relies on a module NOT present in fickling's UNSAFE_IMPORTS denylist (e.g., otherwise-benign standard-library imports) that MLAllowlist would normally have rejected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The input CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C/I/A:H = 9.8) reflects the downstream impact-arbitrary code execution via unsafe deserialization-rather than a directly network-reachable bug, since fickling itself is a library whose failure only manifests when a victim runs check_safety()/fickling.load() on an attacker-supplied pickle. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes a malicious ML model (or otherwise supplies a pickle) whose payload imports a standard-library module absent from fickling's UNSAFE_IMPORTS denylist to gain code execution during unpickling. A victim on fickling ≤0.1.11 calls fickling.load() (or check_safety()) as their safety gate; MLAllowlist never evaluates the import, check_safety() returns LIKELY_SAFE, and pickle.loads() runs the payload. …
Remediation Vendor-released patch: 0.1.12-upgrade fickling to 0.1.12 or later (pip install --upgrade 'fickling>=0.1.12'), which refactors shorten_code() into a pure formatter plus an explicit mark_reported() call and unregisters MLAllowlist from automatic dedup so it always runs; see PR https://github.com/trailofbits/fickling/pull/278, commit 41ce7cb01edd97072994039574a2301ebb3f463d, and release https://github.com/trailofbits/fickling/releases/tag/v0.1.12. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems using Trail of Bits fickling version 0.1.11 or earlier; implement compensating controls by disabling deserialization of untrusted pickle files or restricting fickling to validated, trusted sources only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

EUVD-2026-41676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy