Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-56304

CVE-2026-56304: Mmaitre314 Picklescan RCE Vulnerability

CVE-2026-56304 is an unsafe pickle deserialization flaw in Mmaitre314 Picklescan that allows attackers to create arbitrary zero-byte files and bypass RCE blocklists. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-56304 Overview

CVE-2026-56304 affects picklescan versions before 1.0.1, a tool designed to scan Python pickle files for malicious content. The vulnerability allows unauthenticated attackers to create arbitrary zero-byte files on disk through unsafe deserialization of logging.FileHandler class instantiation. By crafting malicious pickle payloads, attackers bypass remote code execution (RCE) blocklists and create lock files or other filesystem artifacts. The flaw is categorized under [CWE-502] Deserialization of Untrusted Data, and exploitation can disrupt applications relying on picklescan for security analysis.

Critical Impact

Unauthenticated attackers can create arbitrary zero-byte files via crafted pickle payloads, potentially triggering denial of service or bypassing security controls in workflows that rely on picklescan.

Affected Products

  • mmaitre314 picklescan versions before 1.0.1
  • Python ML pipelines using picklescan for model file scanning
  • Applications integrating picklescan for pickle validation

Discovery Timeline

  • 2026-06-20 - CVE-2026-56304 published to NVD
  • 2026-06-24 - Last updated in NVD database

Technical Details for CVE-2026-56304

Vulnerability Analysis

The vulnerability stems from picklescan's incomplete blocklist for dangerous classes during pickle deserialization analysis. While the tool blocks well-known RCE-enabling classes, it fails to flag logging.FileHandler as a security-relevant class. When a pickle file is processed, the FileHandler constructor opens a file path supplied by the attacker, creating a zero-byte file on disk as a side effect of handler initialization.

This primitive does not yield direct code execution but provides an arbitrary file creation capability. Attackers can place lock files in locations that interfere with application startup, overwrite size-sensitive markers, or create files in directories monitored by other services. The impact extends to ML supply chain workflows where picklescan is used as a gatekeeper for untrusted model files.

Root Cause

The root cause is an insufficient denylist within picklescan's static analysis logic. The scanner enumerates pickle opcodes searching for known-bad imports but does not treat logging.FileHandler as dangerous despite its filesystem side effects. Any class with constructor side effects that touches the filesystem, network, or process state can bypass detection if it is absent from the blocklist.

Attack Vector

An attacker crafts a pickle payload that, when scanned or loaded, instantiates logging.FileHandler with an attacker-chosen path. The payload is delivered through any channel that consumes pickle files, such as a model repository, a shared artifact, or an upload endpoint. Because the issue stems from class instantiation rather than __reduce__ abuse of obvious RCE primitives, the payload evades existing blocklists.

No authentication is required, and exploitation requires no user interaction beyond standard pickle processing. Refer to the VulnCheck Advisory on Picklescan for additional technical detail on the bypass mechanism.

Detection Methods for CVE-2026-56304

Indicators of Compromise

  • Unexpected zero-byte files appearing in directories accessed by Python processes that handle pickle files
  • Pickle artifacts containing logging.FileHandler import references at the opcode level
  • Application errors or stalls caused by unexpected lock files or pre-existing path conflicts

Detection Strategies

  • Inspect pickle files using independent opcode-level tooling such as pickletools.dis to enumerate all imported classes, not just known-bad ones
  • Hunt for invocations of picklescan versions earlier than 1.0.1 in software bills of materials and dependency manifests
  • Alert when Python processes create zero-byte files in unexpected paths shortly after pickle scanning or loading operations

Monitoring Recommendations

  • Log all pickle scanning operations with file paths, hashes, and resulting scanner verdicts for post-incident review
  • Monitor file creation events in directories accessible to ML pipeline workers and correlate with pickle processing activity
  • Track dependency versions of picklescan across CI/CD pipelines and ML training environments

How to Mitigate CVE-2026-56304

Immediate Actions Required

  • Upgrade picklescan to version 1.0.1 or later across all environments where pickle files are validated
  • Audit existing pickle artifacts in model registries and shared storage for logging.FileHandler references
  • Restrict filesystem permissions of processes that deserialize pickle data to minimize impact of arbitrary file creation

Patch Information

The vendor released a fix in picklescan 1.0.1 that adds logging.FileHandler and related classes to the deserialization blocklist. See the GitHub Security Advisory GHSA-m7j5-r2p5-c39r for full remediation details and patched release notes.

Workarounds

  • Treat pickle files from untrusted sources as inherently dangerous and prefer safer serialization formats such as safetensors or JSON for model exchange
  • Execute pickle scanning and loading inside sandboxed environments with read-only or ephemeral filesystems
  • Pre-screen pickle files with custom opcode inspection that flags any non-allowlisted import, rather than relying solely on blocklist-based scanners
bash
# Upgrade picklescan to the patched version
pip install --upgrade 'picklescan>=1.0.1'

# Verify installed version
python -c "import picklescan; print(picklescan.__version__)"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.