Cyber Resilience

CVE-2026-22608

HighRCE

Published: 10 January 2026

Published
10 January 2026
Modified
16 January 2026
KEV Added
Patch
CVSS Score v4 8.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0035 26.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22608 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Trailofbits Fickling. Its CVSS base score is 8.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22608 is a vulnerability in Fickling, a Python pickling decompiler and static analyzer, affecting versions prior to 0.1.7. The issue arises because the ctypes and pydoc modules are not explicitly blocked during pickle scanning. This allows chaining of these modules, including pydoc.locate, to execute arbitrary code even when the scanner reports the file as LIKELY_SAFE. Published on 2026-01-10, the vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWEs 184 (Incomplete List of Disallowed Inputs) and 502 (Deserialization of Untrusted Data).

A local attacker can exploit this vulnerability by supplying a specially crafted pickle file for analysis with Fickling. The attack requires low complexity and user interaction, such as a user running the scanner on the malicious file, but no special privileges. Successful exploitation results in remote code execution on the host system running Fickling, with high impacts to confidentiality, integrity, and availability.

The vulnerability has been patched in Fickling version 0.1.7. Mitigation involves updating to this version or later. Details are provided in the GitHub security advisory GHSA-5hvc-6wx8-mvv4, the release notes for v0.1.7, and the patching commit b793563e60a5e039c5837b09d7f4f6b92e6040d1.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE…

more

while the scanner still reports the file as LIKELY_SAFE. This issue has been patched in version 0.1.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Deserialization flaw in Python pickle scanner directly enables arbitrary code execution (T1059.006) via malicious file supplied to the tool (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22607Same product: Trailofbits Fickling
CVE-2026-22609Same product: Trailofbits Fickling
CVE-2026-22606Same product: Trailofbits Fickling
CVE-2026-22612Same product: Trailofbits Fickling
CVE-2026-31219Shared CWE-502
CVE-2026-7584Shared CWE-502
CVE-2026-24150Shared CWE-502
CVE-2026-24165Shared CWE-502
CVE-2026-33753Same vendor: Trailofbits
CVE-2026-24152Shared CWE-502

Affected Assets

trailofbits
fickling
≤ 0.1.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-22608 by requiring timely flaw remediation through patching Fickling to version 0.1.7, which blocks ctypes and pydoc modules.

prevent

Addresses the core issue of incomplete disallowed inputs (CWE-184) by enforcing validation of untrusted pickle inputs to prevent RCE via dangerous module chaining.

preventdetect

Provides defense-in-depth against deserialization RCE (CWE-502) by scanning and eradicating malicious code from crafted pickle files processed by Fickling.

References