CVE-2026-22606 Overview
CVE-2026-22606 is an Insecure Deserialization vulnerability in Fickling, a Python pickling decompiler and static analyzer developed by Trail of Bits. Fickling versions up to and including 0.1.6 fail to classify Python's runpy module as unsafe, resulting in malicious pickles that leverage runpy.run_path() or runpy.run_module() being incorrectly labeled as SUSPICIOUS instead of OVERTLY_MALICIOUS. This misclassification can lead users who rely on Fickling's security assessments to inadvertently execute attacker-controlled code on their systems.
Critical Impact
Users relying on Fickling as a security gate for pickle deserialization may unknowingly execute malicious code due to the misclassification of dangerous runpy module calls, potentially leading to full system compromise.
Affected Products
- Fickling versions 0.1.6 and earlier
- Any workflow or product using Fickling as a security gate for pickle deserialization
- Python applications relying on Fickling for pickle file safety analysis
Discovery Timeline
- 2026-01-10 - CVE CVE-2026-22606 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-22606
Vulnerability Analysis
This vulnerability stems from an incomplete blocklist implementation (CWE-184: Incomplete List of Disallowed Inputs) within Fickling's static analysis engine. When analyzing pickle files for potentially dangerous operations, Fickling maintains a list of Python modules and functions that are considered unsafe. However, versions through 0.1.6 did not include Python's built-in runpy module in this list despite its capability to execute arbitrary Python code.
The runpy module provides the run_path() and run_module() functions, which can execute arbitrary Python scripts and modules respectively. An attacker can craft a malicious pickle that invokes these functions to achieve code execution when the pickle is deserialized. Because Fickling fails to recognize these calls as overtly malicious, users who trust Fickling's analysis may proceed to deserialize what they believe is a merely suspicious but not definitely dangerous pickle file.
Root Cause
The root cause is an incomplete allowlist/blocklist implementation in Fickling's threat classification logic. The runpy module, despite being a native Python module capable of executing arbitrary code, was not included in Fickling's list of dangerous modules. This oversight in the threat detection taxonomy allows attackers to bypass Fickling's security classification by using runpy functions instead of more commonly flagged dangerous operations like os.system() or subprocess.Popen().
Attack Vector
The attack is network-based and requires no authentication or user interaction beyond the victim's reliance on Fickling for security decisions. An attacker can craft a malicious pickle file containing calls to runpy.run_path() or runpy.run_module() and distribute it through any channel where pickle files might be exchanged (model repositories, data pipelines, file shares, etc.).
When a user analyzes this pickle with a vulnerable version of Fickling, the tool classifies it as SUSPICIOUS rather than OVERTLY_MALICIOUS. If the user's security workflow permits deserialization of suspicious pickles—or if they interpret the lower threat level as acceptable risk—the malicious payload executes with the privileges of the deserializing process. The runpy.run_path() function can execute any Python script specified by path, while runpy.run_module() can run any available Python module, both providing full code execution capabilities.
Detection Methods for CVE-2026-22606
Indicators of Compromise
- Pickle files containing references to the runpy module or its functions (run_path, run_module)
- Unexpected Python process spawning following pickle deserialization operations
- Fickling analysis logs showing SUSPICIOUS classification for pickles that subsequently execute code
- Network connections or file system modifications occurring after loading pickle files
Detection Strategies
- Audit all pickle files for runpy module references regardless of Fickling's classification output
- Implement secondary analysis using manual inspection or alternative tools for pickles classified as SUSPICIOUS
- Monitor process execution chains for Python processes spawned from pickle deserialization contexts
- Review Fickling version in CI/CD pipelines and security tooling to ensure 0.1.7 or later is deployed
Monitoring Recommendations
- Enable verbose logging for all pickle deserialization operations in production environments
- Set up alerts for any pickle file analysis results, treating SUSPICIOUS classifications with the same urgency as OVERTLY_MALICIOUS
- Monitor file integrity on systems processing pickle files from untrusted sources
- Track Python interpreter child process creation as potential indicators of pickle-based exploitation
How to Mitigate CVE-2026-22606
Immediate Actions Required
- Upgrade Fickling to version 0.1.7 or later immediately across all environments
- Re-analyze any pickle files previously classified as SUSPICIOUS using the patched version
- Treat all SUSPICIOUS classifications from vulnerable Fickling versions as potentially malicious pending re-analysis
- Audit systems that may have deserialized pickles based on vulnerable Fickling assessments
Patch Information
Trail of Bits has released Fickling version 0.1.7 which addresses this vulnerability by adding the runpy module to the list of unsafe modules. The fix ensures that pickles containing runpy.run_path() or runpy.run_module() calls are correctly classified as OVERTLY_MALICIOUS. The patch is available through the GitHub Release v0.1.7 and can be installed via pip. The specific commit addressing this issue adds runpy to the threat classification rules.
Workarounds
- Manually inspect pickle files for runpy module references before trusting Fickling's classification
- Implement a secondary blocklist check that flags any pickle containing runpy references as malicious
- Avoid deserializing any pickle files classified as SUSPICIOUS until upgrade to 0.1.7 is complete
- Consider using pickle alternatives like JSON for data serialization where pickle's capabilities are not strictly required
# Upgrade Fickling to patched version
pip install --upgrade fickling>=0.1.7
# Verify installed version
pip show fickling | grep Version
# Re-analyze previously scanned pickle files
fickling --check-safety suspicious_pickle.pkl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
