CVE-2026-14534
Last modified
CVE-2026-14534 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). EPSS estimates a 0.33% chance of exploitation in the next 30 days.
Description
Trail of Bits fickling versions up to and including 0.1.10 do not include the Python standard library modules _posixsubprocess, site, and atexit in the UNSAFE_IMPORTS denylist (fickle.py). Because these modules are absent from the denylist, fickling's check_safety() function returns LIKELY_SAFE with zero findings for pickle payloads that invoke dangerous functions including _posixsubprocess.fork_exec (C-level process spawner capable of executing arbitrary binaries), site.execsitecustomize (executes arbitrary site customization code), and atexit._run_exitfuncs (triggers all registered exit handler callbacks). The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate; a LIKELY_SAFE verdict causes the payload to be deserialized and executed. This shares the same root cause as CVE-2026-22607 (cProfile), CVE-2025-67748 (pty), and CVE-2025-67747 (marshal/types). OvertlyBadEvals does not flag these modules because they are standard library imports. UnsafeImports does not flag them because they are not in the denylist. The UnusedVariables heuristic is defeated by the SETITEMS opcode pattern.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Trailofbits | Fickling | <= 0.1.10 |
References
- https://github.com/trailofbits/fickling/pull/272Issue Tracking, Patch
- https://github.com/trailofbits/fickling/security/advisories/GHSA-m6fh-58r7-x697Exploit, Vendor Advisory
- https://github.com/trailofbits/fickling/security/advisories/GHSA-m6fh-58r7-x697Exploit, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-14534?
How severe is CVE-2026-14534?
How do I fix CVE-2026-14534?
Related CVEs from 2026
- CVE-2026-14495The DoLogin Security plugin for WordPress is vulnerable to A…8.8
- CVE-2026-1450The rognone plugin for WordPress is vulnerable to Reflected …6.1
- CVE-2026-14500The Bulk Order Update for WooCommerce plugin for WordPress i…5.3
- CVE-2026-1451The rognone plugin for WordPress is vulnerable to Reflected …6.1
- CVE-2026-1452Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMB…
- CVE-2026-1453A missing authentication for critical function vulnerability…9.8
- CVE-2026-14535In Trail of Bits fickling versions up to and including 0.1.1…9.8
- CVE-2026-14536Improper enforcement of a mandatory multi-factor authenticat…8.8
- CVE-2026-1454The Responsive Contact Form Builder & Lead Generation Plugin…7.2
- CVE-2026-14544A flaw was found in HPLIP (HP Linux Imaging and Printing Sof…9.8
- CVE-2026-1455The Whatsiplus Scheduled Notification for Woocommerce plugin…4.3
- CVE-2026-1456GitLab has remediated an issue in GitLab CE/EE affecting all…7.5
Are you affected by CVE-2026-14534?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST
