CVE-2026-22606
Published: 10 January 2026
Summary
CVE-2026-22606 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Trailofbits Fickling. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the flaw in Fickling by requiring timely patching to version 0.1.7, correcting the misclassification of runpy-using pickles as OVERTLY_MALICIOUS.
Enables identification of CVE-2026-22606 in Fickling through ongoing vulnerability scanning of software components and dependencies.
Provides defense-in-depth by scanning for and blocking malicious code execution resulting from deserialization of misclassified pickles.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables evasion of pickle safety analysis, directly facilitating arbitrary Python code execution via runpy in malicious serialized objects (CWE-502).
NVD Description
Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python’s runpy module as unsafe. Because of this, a malicious pickle that uses runpy.run_path() or runpy.run_module() is classified as SUSPICIOUS instead…
more
of OVERTLY_MALICIOUS. If a user relies on Fickling’s output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.
Deeper analysisAI
CVE-2026-22606 is a vulnerability in Fickling, an open-source Python pickling decompiler and static analyzer. Versions up to and including 0.1.6 fail to classify the use of Python's runpy module as unsafe, specifically runpy.run_path() or runpy.run_module(). As a result, malicious pickles invoking these functions are labeled SUSPICIOUS rather than OVERTLY_MALICIOUS. This misclassification affects any workflows or products that depend on Fickling's analysis as a security gate prior to pickle deserialization, potentially tricking users into processing unsafe data. The issue is rated 7.8 on the CVSS v3.1 scale (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-184 (Incomplete List of Disallowed Inputs) and CWE-502 (Deserialization of Untrusted Data).
An attacker can exploit this by crafting a pickle that leverages runpy to execute arbitrary code, then providing it to a target using vulnerable Fickling versions for safety checks. Exploitation requires local access to deliver the pickle and user interaction to trigger deserialization despite the SUSPICIOUS rating, with no privileges needed. Successful exploitation allows the attacker to achieve high-impact confidentiality, integrity, and availability violations through code execution on the victim's system.
The vulnerability has been patched in Fickling version 0.1.7, as detailed in the project's GitHub security advisory (GHSA-wfq2-52f7-7qvj), release notes, and the fixing commit (9a2b3f89bd0598b528d62c10a64c1986fcb09f66). Security practitioners using Fickling should upgrade to 0.1.7 or later and avoid relying solely on its classifications for untrusted pickle deserialization decisions.
Details
- CWE(s)