CVE-2026-22608

High

Published: 10 January 2026

Published

10 January 2026

Modified

16 January 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 13.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22608 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Trailofbits Fickling. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Python (T1059.006) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-22608 by requiring timely flaw remediation through patching Fickling to version 0.1.7, which blocks ctypes and pydoc modules.

SI-10 Information Input Validation good match

prevent

Addresses the core issue of incomplete disallowed inputs (CWE-184) by enforcing validation of untrusted pickle inputs to prevent RCE via dangerous module chaining.

SI-3 Malicious Code Protection partial match

preventdetect

Provides defense-in-depth against deserialization RCE (CWE-502) by scanning and eradicating malicious code from crafted pickle files processed by Fickling.

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

Why these techniques?

Deserialization flaw in Python pickle scanner directly enables arbitrary code execution (T1059.006) via malicious file supplied to the tool (T1204.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE…

while the scanner still reports the file as LIKELY_SAFE. This issue has been patched in version 0.1.7.

Deeper analysisAI

CVE-2026-22608 is a vulnerability in Fickling, a Python pickling decompiler and static analyzer, affecting versions prior to 0.1.7. The issue arises because the ctypes and pydoc modules are not explicitly blocked during pickle scanning. This allows chaining of these modules, including pydoc.locate, to execute arbitrary code even when the scanner reports the file as LIKELY_SAFE. Published on 2026-01-10, the vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWEs 184 (Incomplete List of Disallowed Inputs) and 502 (Deserialization of Untrusted Data).

A local attacker can exploit this vulnerability by supplying a specially crafted pickle file for analysis with Fickling. The attack requires low complexity and user interaction, such as a user running the scanner on the malicious file, but no special privileges. Successful exploitation results in remote code execution on the host system running Fickling, with high impacts to confidentiality, integrity, and availability.

The vulnerability has been patched in Fickling version 0.1.7. Mitigation involves updating to this version or later. Details are provided in the GitHub security advisory GHSA-5hvc-6wx8-mvv4, the release notes for v0.1.7, and the patching commit b793563e60a5e039c5837b09d7f4f6b92e6040d1.