Vulnerability  ·  2026-07-05

Trail of Bits fickling — MLAllowlist Safety Check Silently Bypassed, Malicious Pickles Marked 'LIKELY_SAFE'

VulnerabilityHigh impactGlobalCVE-2026-14535
A logic error in Trail of Bits' fickling — a widely-used static analysis tool for detecting malicious pickle-based ML model files — causes its core protection (MLAllowlist) to become inert, letting crafted malicious pickle payloads pass its safety check and execute arbitrary code upon deserialization. Published to NVD July 4, 2026, CVSS 8.8 (High).
fickling is a de-facto standard scanning tool used across the ML ecosystem (including Hugging Face Hub tooling) to vet untrusted pickle-serialized models before loading. A security tool whose core check silently fails open means any pipeline gating model loads on fickling's verdict could unknowingly execute attacker-controlled code from a poisoned model file — directly undermining ML supply-chain trust at scale.
The UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, populating a shared 'reported_shortened_code' set as a side effect. This causes the subsequent MLAllowlist pass to skip its allowlist checks entirely, becoming dead code. As a result, any module outside the UNSAFE_IMPORTS denylist (including non-ML standard-library modules capable of arbitrary code execution) can be smuggled through fickling.check_safety() and will be reported LIKELY_SAFE, then executed via pickle.loads() by any application that trusts fickling's verdict.
Trail of Bits fickling ≤ 0.1.11 (fixed in 0.1.12)
Upgrade to fickling 0.1.12 or later, which fixes the logic error restoring MLAllowlist enforcement. Do not rely solely on fickling's safety verdict for untrusted pickle files — combine with sandboxing or safetensors-format migration.
TheHackerWire - CVE-2026-14535Trail of Bits fickling commit (fix)
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →