CVE-2026-22608

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-22608

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22608.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-22608

Aliases

GHSA-5hvc-6wx8-mvv4

Published

2026-01-10T01:35:11.291Z

Modified

2026-03-14T12:47:14.150936Z

Severity

8.9 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Fickling vulnerable to use of ctypes and pydoc gadget chain to bypass detection

Details

Fickling is a Python pickling decompiler and static analyzer. Prior to version 0.1.7, both ctypes and pydoc modules aren't explicitly blocked. Even other existing pickle scanning tools (like picklescan) do not block pydoc.locate. Chaining these two together can achieve RCE while the scanner still reports the file as LIKELY_SAFE. This issue has been patched in version 0.1.7.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22608.json",
    "cwe_ids": [
        "CWE-184",
        "CWE-502"
    ]
}

References

Affected packages

Git / github.com/trailofbits/fickling

Affected ranges

Type: GIT
Repo: https://github.com/trailofbits/fickling
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

977b0769c13537cd96549c12bb537f05464cf09c

Affected versions

Other

master

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.0.5

v0.0.6

v0.0.7

v0.0.8

v0.1.0

v0.1.1

v0.1.2

v0.1.3

v0.1.4

v0.1.5

v0.1.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22608.json"