What is CVE-2026-22609?

#Fickling's assessment `ctypes`, `importlib`, `runpy`, `code` and `multiprocessing` were added the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9, https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1). # Original report ## Summary The `unsafe_imports()` method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. ## Details In `fickling/fickle.py` lines 866-884, the `unsafe_imports()` method checks imported modules against a hardcoded tuple: ```python def unsafe_imports(self) -> Iterator[ast.Import | ast.ImportFrom]: for node in self.properties.imports: if node.module in ( "__builtin__", "__builtins__", "builtins", "os", "posix", "nt", "subprocess", "sys", "builtins", "socket", "pty", "marshal", "types", ): yield node ``` This list is incomplete. The following dangerous modules are NOT detected: - **ctypes**: Allows arbitrary memory access, calling C functions, and bypassing Python restrictions entirely - **importlib**: Can dynamically import any module at runtime - **runpy**: Can execute Python modules as scripts - **code**: Can compile and execute arbitrary Python code - **multiprocessing**: Can spawn processes with arbitrary code Since `ctypes` is part of the Python standard library, it also bypasses the `NonStandardImports` analysis. ## PoC ```python from fickling.fickle import Pickled from fickling.analysis import check_safety, Severity # Pickle that imports ctypes.pythonapi (allows arbitrary code execution) # PROTO 4, GLOBAL 'ctypes pythonapi', STOP payload = b'\x80\x04cctypes\npythonapi\n.' pickled = Pickled.load(payload) results = check_safety(pickled) print(f"Severity: {results.severity.name}") print(f"Is safe: {results.severity == Severity.LIKELY_SAFE}") # Output: Severity is LIKELY_SAFE or low - the ctypes import is not flagged # A truly malicious pickle using ctypes could execute arbitrary code ``` ## Impact **Security Bypass (Confidentiality, Integrity, Availability)** An attacker can craft a malicious pickle that: 1. Imports `ctypes` to gain arbitrary memory access 2. Uses `ctypes.pythonapi` or `ctypes.CDLL` to execute arbitrary code 3. Passes Fickling's safety analysis as "likely safe" 4. Executes malicious code when the victim loads the pickle after trusting Fickling's verdict This undermines the core purpose of Fickling as a pickle safety scanner.

What is the severity of CVE-2026-22609?

CVE-2026-22609 has a CVSS v3 score of 7.8, which is classified as High severity.

Is there an exploit available for CVE-2026-22609?

No known public exploits are currently available for CVE-2026-22609.

Is there a patch available for CVE-2026-22609?

Yes, patches are available for CVE-2026-22609. Check the vendor advisories for update instructions.

Severity Scores

CVSS v37.8

CVSS v20.0

Priority Score560.0

EPSS Score0.0

High

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

7.8

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

#Fickling's assessment

ctypes, importlib, runpy, code and multiprocessing were added the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9, https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1).

Original report

Summary

The unsafe_imports() method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks.

Details

In fickling/fickle.py lines 866-884, the unsafe_imports() method checks imported modules against a hardcoded tuple:

def unsafe_imports(self) -> Iterator[ast.Import | ast.ImportFrom]:
    for node in self.properties.imports:
        if node.module in (
            "__builtin__", "__builtins__", "builtins", "os", "posix", "nt",
            "subprocess", "sys", "builtins", "socket", "pty", "marshal", "types",
        ):
            yield node

This list is incomplete. The following dangerous modules are NOT detected:

ctypes: Allows arbitrary memory access, calling C functions, and bypassing Python restrictions entirely
importlib: Can dynamically import any module at runtime
runpy: Can execute Python modules as scripts
code: Can compile and execute arbitrary Python code
multiprocessing: Can spawn processes with arbitrary code

Since ctypes is part of the Python standard library, it also bypasses the NonStandardImports analysis.

CVSS v3 Breakdown

Attack Vector:Local

Attack Complexity:Local

Privileges Required:Network

User Interaction:Required

Scope:Unchanged

Confidentiality:High

Integrity:High

Availability:High

Patch References

Github.com Github.com Github.com