CVE-2026-14535

Source
https://cve.org/CVERecord?id=CVE-2026-14535
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14535.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-14535
Aliases
  • GHSA-cffv-grgg-g429
Published
2026-07-04T13:31:14.937Z
Modified
2026-07-08T08:12:23.140002755Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Fickling MLAllowlist analysis pass rendered inoperative by shared mutable state in AnalysisContext.shorten_code()
Details

In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shortencode(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reportedshortenedcode set. When the MLAllowlist analysis pass subsequently runs, it calls the same shortencode() method, receives alreadyreported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports — it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFEIMPORTS denylist can be invoked via pickle deserialization while fickling's checksafety() returns LIKELYSAFE. The fickling.load() API chains checksafety() into pickle.loads() as an explicit security gate, meaning a LIKELYSAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes — UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reportedshortenedcode set causes UnsafeImportsML to poison MLAllowlist's deduplication logic.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14535.json",
    "cna_assigner": "BombadilSystems",
    "cwe_ids": [
        "CWE-693"
    ]
}
References

Affected packages

Git / github.com/trailofbits/fickling

Affected ranges

Type
GIT
Repo
https://github.com/trailofbits/fickling
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "0.1.11"
        }
    ]
}

Affected versions

Other
master
v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.1.0
v0.1.1
v0.1.10
v0.1.11
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14535.json"