CVE-2026-22609

HighPublic PoC

Published: 10 January 2026

Published

10 January 2026

Modified

16 January 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0005 15.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22609 is a high-severity Incomplete List of Disallowed Inputs (CWE-184) vulnerability in Trailofbits Fickling. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 15.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Python (T1059.006). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely remediation of the flaw in Fickling's unsafe_imports() method through patching to version 0.1.7 or later.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning identifies systems running vulnerable versions of Fickling, enabling proactive patching before malicious pickles can bypass safety checks.

SI-5 Security Alerts, Advisories, and Directives partial match

preventdetect

Receiving and acting on security advisories for CVE-2026-22609 ensures dissemination of patching information to prevent exploitation of undetected high-risk module imports.

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Vulnerability bypasses static detection of high-risk Python imports in pickles, directly enabling undetected arbitrary code execution upon unpickling via Python interpreter.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, the unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules…

will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. This issue has been patched in version 0.1.7.

Deeper analysisAI

Fickling, a Python pickling decompiler and static analyzer, contains a vulnerability prior to version 0.1.7 where the unsafe_imports() method in its static analyzer fails to flag several high-risk Python modules capable of arbitrary code execution. As a result, malicious pickles that import these modules evade detection, bypassing Fickling's primary static safety checks. This flaw is classified under CWE-184 and CWE-502, with a CVSS v3.1 base score of 7.8.

An attacker with local access can exploit this vulnerability by crafting a malicious pickle file that imports undetected high-risk modules and tricking a user into analyzing it with an affected version of Fickling. The low attack complexity and requirement for user interaction (such as running the analyzer on the file) allow no privileges to achieve high-impact confidentiality, integrity, and availability violations, potentially leading to arbitrary code execution if the falsely safe pickle is subsequently unpickled.

The issue has been addressed in Fickling version 0.1.7, as detailed in the project's GitHub release and related commit history, which include fixes to properly flag the risky modules in unsafe_imports(). Security practitioners should update to this version or later to mitigate the vulnerability.