AI Threat Alert

CVE-2026-22609: fickling: Allowlist Bypass evades input filtering

GHSA-q5qq-mvfm-j35x HIGH PoC AVAILABLE CISA: ATTEND
Published January 9, 2026
CISO Take

If you use Fickling to gate-check pickle files before loading AI models or datasets, your security control has a blind spot — attackers can craft malicious pickles using ctypes, importlib, runpy, code, or multiprocessing that pass as 'LIKELY_SAFE'. Upgrade fickling to 0.1.7 immediately and re-audit any models validated with prior versions. Until patched, do not rely on Fickling alone as the sole safety control for untrusted pickle artifacts.

What is the risk?

HIGH risk for organizations using Fickling in automated ML pipelines. The vulnerability is in a defense tool itself — a meta-security failure — meaning the exploitability is trivial (craft any ctypes-based pickle) and the impact is full arbitrary code execution on whatever host loads the pickle. EPSS is low because mass exploitation requires targeted delivery to organizations using Fickling specifically, but for AI/ML teams that have operationalized Fickling as a pre-load scanner (common in MLOps), the effective risk is critical. Not in CISA KEV, no public exploits at time of writing, but the PoC is published and trivially reproducible.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Fickling pip <= 0.1.6 0.1.7
636 OpenSSF 7.9 58 dependents Pushed 5d ago 100% patched ~5d to patch Full package profile →

Do you use Fickling? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.6%
chance of exploitation in 30 days
Higher than 42% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What should I do?

6 steps

  1. PATCH

    Upgrade fickling to 0.1.7 immediately (pip install fickling>=0.1.7).

  2. AUDIT

    Identify all pipelines, CI/CD jobs, and model loading workflows that call fickling or check_safety() — re-validate any models previously cleared by older versions.

  3. DEFENSE-IN-DEPTH: Do not rely on Fickling alone — layer with network egress controls, sandboxed model loading (subprocess isolation, containers with no credentials), and model signing/provenance verification.

  4. DETECT

    Alert on any process spawned from Python pickle deserialization code; monitor for unexpected ctypes, subprocess, or socket calls from ML worker processes.

  5. POLICY

    For models from untrusted sources, require execution in isolated environments (e.g., gVisor, Firecracker microVMs) regardless of static analysis verdict.

  6. HARDEN

    Consider using safetensors format instead of pickle for model serialization where possible — it eliminates this attack class entirely.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Auth Bypass Framework Model AML.T0010.001 AML.T0010.003 AML.T0011.000 AML.T0018.002 AML.T0107

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.25 - Obligations of Deployers Art.9 - Risk Management System for High-Risk AI
ISO 42001
A.6.2.6 - AI System Testing and Validation A.8.4 - AI System Supply Chain
NIST AI RMF
MANAGE-2.2 - Mechanisms to Sustain Oversight of AI Risk MEASURE-2.6 - Technical Evaluation Methods for AI Trustworthiness
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-22609?

If you use Fickling to gate-check pickle files before loading AI models or datasets, your security control has a blind spot — attackers can craft malicious pickles using ctypes, importlib, runpy, code, or multiprocessing that pass as 'LIKELY_SAFE'. Upgrade fickling to 0.1.7 immediately and re-audit any models validated with prior versions. Until patched, do not rely on Fickling alone as the sole safety control for untrusted pickle artifacts.

Is CVE-2026-22609 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2026-22609, increasing the risk of exploitation.

How to fix CVE-2026-22609?

1. PATCH: Upgrade fickling to 0.1.7 immediately (`pip install fickling>=0.1.7`). 2. AUDIT: Identify all pipelines, CI/CD jobs, and model loading workflows that call fickling or check_safety() — re-validate any models previously cleared by older versions. 3. DEFENSE-IN-DEPTH: Do not rely on Fickling alone — layer with network egress controls, sandboxed model loading (subprocess isolation, containers with no credentials), and model signing/provenance verification. 4. DETECT: Alert on any process spawned from Python pickle deserialization code; monitor for unexpected ctypes, subprocess, or socket calls from ML worker processes. 5. POLICY: For models from untrusted sources, require execution in isolated environments (e.g., gVisor, Firecracker microVMs) regardless of static analysis verdict. 6. HARDEN: Consider using safetensors format instead of pickle for model serialization where possible — it eliminates this attack class entirely.

What systems are affected by CVE-2026-22609?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, model registries, MLOps/CI-CD pipelines, notebook environments.

What is the CVSS score for CVE-2026-22609?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingmodel registriesMLOps/CI-CD pipelinesnotebook environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0107 Exploitation for Defense Evasion

Compliance Controls Affected

EU AI Act: Art.25, Art.9
ISO 42001: A.6.2.6, A.8.4
NIST AI RMF: MANAGE-2.2, MEASURE-2.6
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

#Fickling's assessment `ctypes`, `importlib`, `runpy`, `code` and `multiprocessing` were added the list of unsafe imports (https://github.com/trailofbits/fickling/commit/9a2b3f89bd0598b528d62c10a64c1986fcb09f66, https://github.com/trailofbits/fickling/commit/eb299b453342f1931c787bcb3bc33f3a03a173f9, https://github.com/trailofbits/fickling/commit/29d5545e74b07766892c1f0461b801afccee4f91, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1, https://github.com/trailofbits/fickling/commit/b793563e60a5e039c5837b09d7f4f6b92e6040d1). # Original report ## Summary The `unsafe_imports()` method in Fickling's static analyzer fails to flag several high-risk Python modules that can be used for arbitrary code execution. Malicious pickles importing these modules will not be detected as unsafe, allowing attackers to bypass Fickling's primary static safety checks. ## Details In `fickling/fickle.py` lines 866-884, the `unsafe_imports()` method checks imported modules against a hardcoded tuple: ```python def unsafe_imports(self) -> Iterator[ast.Import | ast.ImportFrom]: for node in self.properties.imports: if node.module in ( "__builtin__", "__builtins__", "builtins", "os", "posix", "nt", "subprocess", "sys", "builtins", "socket", "pty", "marshal", "types", ): yield node ``` This list is incomplete. The following dangerous modules are NOT detected: - **ctypes**: Allows arbitrary memory access, calling C functions, and bypassing Python restrictions entirely - **importlib**: Can dynamically import any module at runtime - **runpy**: Can execute Python modules as scripts - **code**: Can compile and execute arbitrary Python code - **multiprocessing**: Can spawn processes with arbitrary code Since `ctypes` is part of the Python standard library, it also bypasses the `NonStandardImports` analysis. ## PoC ```python from fickling.fickle import Pickled from fickling.analysis import check_safety, Severity # Pickle that imports ctypes.pythonapi (allows arbitrary code execution) # PROTO 4, GLOBAL 'ctypes pythonapi', STOP payload = b'\x80\x04cctypes\npythonapi\n.' pickled = Pickled.load(payload) results = check_safety(pickled) print(f"Severity: {results.severity.name}") print(f"Is safe: {results.severity == Severity.LIKELY_SAFE}") # Output: Severity is LIKELY_SAFE or low - the ctypes import is not flagged # A truly malicious pickle using ctypes could execute arbitrary code ``` ## Impact **Security Bypass (Confidentiality, Integrity, Availability)** An attacker can craft a malicious pickle that: 1. Imports `ctypes` to gain arbitrary memory access 2. Uses `ctypes.pythonapi` or `ctypes.CDLL` to execute arbitrary code 3. Passes Fickling's safety analysis as "likely safe" 4. Executes malicious code when the victim loads the pickle after trusting Fickling's verdict This undermines the core purpose of Fickling as a pickle safety scanner.

Exploitation Scenario

An attacker publishes a poisoned PyTorch model to a public model registry or submits it via a third-party vendor handoff. The model file is a valid-looking pickle that on deserialization calls ctypes.CDLL or ctypes.pythonapi to load a shared library or execute a shellcode stub — establishing a reverse shell or exfiltrating cloud IAM credentials. The victim organization's MLOps pipeline runs Fickling as a pre-load safety gate; fickling <= 0.1.6 returns Severity.LIKELY_SAFE because ctypes is not in the unsafe module list. The pipeline proceeds to load the model on a GPU training node with access to S3 buckets, internal APIs, and GPU cluster credentials. The attacker gains persistent access to the training infrastructure.

Weaknesses (CWE)

CWE-184 Incomplete List of Disallowed Inputs Primary CWE-502 Deserialization of Untrusted Data Primary

CWE-184 — Incomplete List of Disallowed Inputs: The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete.

  • [Implementation] Do not rely exclusively on detecting disallowed inputs. There are too many variants to encode a character, especially when different environments are used, so there is a high likelihood of missing some variants. Only use detection of disallowed inputs as a mechanism for detecting suspicious activity. Ensure that you are using other protection mechanisms that only identify "good" input - such as lists of allowed inputs - and ensure that you are properly encoding your outputs.

Source: MITRE CWE corpus.

References

Timeline

Published
January 9, 2026
Last Modified
January 11, 2026
First Seen
March 24, 2026

Related Vulnerabilities

HIGH GHSA-5hwf-rc88-82xm

fickling: Allowlist Bypass evades input filtering

Same package: fickling
HIGH GHSA-wccx-j62j-r448

fickling: Protection Bypass circumvents security controls

Same package: fickling
MEDIUM GHSA-5cxw-w2xg-2m8h

fickling: Allowlist Bypass evades input filtering

Same package: fickling
MEDIUM GHSA-r48f-3986-4f9c

fickling: Allowlist Bypass evades input filtering

Same package: fickling
MEDIUM GHSA-mhc9-48gj-9gp3

fickling: Allowlist Bypass evades input filtering

Same package: fickling
Back to Threat Feed