External risk intelligence

Trail of Bits Fickling Analysis Bypass Allows Unsafe Imports

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-14535

The vulnerability exists within a Python library used for static analysis and security auditing of pickle files. It is a developer-focused tool typically integrated into local build or development workflows, rather than an internet-facing service or appliance.

Deserialization

Trailofbits Fickling

0.1.11 and earlier

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A security flaw in the fickling analysis tool can allow malicious code to be executed during the deserialization of pickle files, bypassing safety checks. This issue stems from an interaction between different analysis passes within the tool, where one pass inadvertently disables a critical security check in another.

  • Malicious code can run through deserialized files.
  • Disables a critical safety check in analysis.
  • Confirm tool usage and exposure for analysis.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by crafting a malicious pickle file that bypasses security checks within the fickling library. The vulnerability arises from a shared state issue where an initial analysis pass unintentionally disables a subsequent security check. This allows for the deserialization and execution of arbitrary code through the `fickling.load()` API, even when the system indicates a likely safe outcome.

  • Entry condition: Malicious pickle data is prepared.
  • Trigger point: Data is loaded using the affected API.
  • Resulting risk: Arbitrary code execution is enabled.

Live Threat

Current exploitation, exposure, and threat context

When analysis passes in `fickling` interact improperly due to shared state, the security checks designed to prevent malicious code execution during pickle deserialization can be bypassed. This could allow for the execution of arbitrary code from untrusted pickle data, even when `fickling`'s `check_safety()` function indicates a likely safe status.

  • Arbitrary code execution.
  • Bypassing security checks via shared state.
  • Remote code execution by an attacker.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Platform or Development Tools team is likely responsible for this vulnerability within the fickling library, as it impacts code analysis and security auditing tools. The immediate first step is to identify all instances where fickling is used in the development or build pipeline, confirm if these instances process untrusted input, and then coordinate with the team managing the fickling integration for remediation.

  • Own the fix: Platform/Development Tools team.
  • Verify first: Fickling usage, untrusted input processing.
  • Action: Coordinate upgrade or code change.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Trail of Bits fickling library used for?

Fickling is a Python tool designed for static analysis and security auditing of pickle files. Developers use it to inspect serialized Python data before deserialization, aiming to identify potentially dangerous instructions that could compromise a system when processed by the standard pickle module.

What does CVE-2026-14535 mean for fickling's safety checks?

This vulnerability is a logic error classified under CWE-693 (Protection Mechanism Failure). It occurs because two internal analysis steps share information improperly. One step incorrectly signals to the next that a safety check is already complete. This causes the library to skip vital security filters, erroneously labeling malicious imports as 'likely safe' and allowing them to execute during deserialization.

How can an attacker trigger this vulnerability?

An attacker must provide a specially crafted, malicious pickle file to an application that processes data using the fickling.load() API. The bug is not triggered by standard library modules explicitly listed on the tool's unsafe denylist; instead, it affects the mechanism intended to catch everything else, allowing hidden malicious payloads to slip through the security gate.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal indicates that exploitation is very unlikely. Because fickling is a developer-focused tool typically integrated into local build or development workflows—rather than being an internet-facing service or appliance—it is rarely positioned where a remote attacker could directly interact with it.

What should I do if I use fickling in my environment?

First, identify all systems or CI/CD pipelines where fickling is integrated. Determine if these instances process untrusted input. If your project uses versions 0.1.11 or earlier, coordinate with your development or platform tools team to update to a patched version, which ensures the library's security checks operate independently and correctly.

References