CVE-2026-22607
Published: 10 January 2026
Summary
CVE-2026-22607 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Trailofbits Fickling. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-22607 by requiring timely patching of Fickling to version 0.1.7, which correctly classifies cProfile.run() as OVERTLY_MALICIOUS.
Enables detection of CVE-2026-22607 in Fickling through vulnerability scanning of system components and dependencies used for pickle analysis.
Provides awareness of security advisories like GHSA-p523-jq9w-64x9 for vulnerabilities in tools like Fickling relied upon for deserialization safety checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables misclassified malicious pickle deserialization leading to Python code execution (T1059.006) via user-processed malicious file (T1204.002).
NVD Description
Fickling is a Python pickling decompiler and static analyzer. Fickling versions up to and including 0.1.6 do not treat Python's cProfile module as unsafe. Because of this, a malicious pickle that uses cProfile.run() is classified as SUSPICIOUS instead of OVERTLY_MALICIOUS.…
more
If a user relies on Fickling's output to decide whether a pickle is safe to deserialize, this misclassification can lead them to execute attacker-controlled code on their system. This affects any workflow or product that uses Fickling as a security gate for pickle deserialization. This issue has been patched in version 0.1.7.
Deeper analysisAI
CVE-2026-22607 is a vulnerability in Fickling, an open-source Python pickling decompiler and static analyzer. Versions up to and including 0.1.6 fail to classify the use of Python's cProfile module as unsafe, resulting in malicious pickles that invoke cProfile.run() being labeled as SUSPICIOUS rather than OVERTLY_MALICIOUS. This misclassification affects any workflow or product that depends on Fickling's analysis as a security gate prior to pickle deserialization, potentially tricking users into processing dangerous data. The issue is rated at CVSS 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-184 (Incomplete List of Disallowed Inputs) and CWE-502 (Deserialization of Untrusted Data).
An attacker with local access can craft a malicious pickle file that leverages cProfile.run() to execute arbitrary code upon deserialization. Exploitation requires a user to interact with Fickling's output—such as reviewing its SUSPICIOUS classification and deciding to proceed with deserialization—leading to full compromise of confidentiality, integrity, and availability on the victim's system through attacker-controlled code execution. No privileges are needed (PR:N), but the attack is local (AV:L) and low complexity (AC:L).
The vulnerability has been addressed in Fickling version 0.1.7, where cProfile is now properly treated as unsafe. Security advisories and the patch commit are available on the project's GitHub repository, including the release notes for v0.1.7 and the GHSA-p523-jq9w-64x9 advisory, recommending immediate upgrade for users relying on Fickling for pickle safety checks.
Details
- CWE(s)