Silent Pickle, Full System Takeover: Critical RCE Bypasses in Fickling

Aegiron 8 mins0

Product: Fickling

Fickling is a Python security library designed to analyze and restrict unsafe behavior in serialized pickle files. These vulnerabilities demonstrate multiple ways attackers can bypass Fickling’s detection logic and achieve remote code execution (RCE) during deserialization.

Vulnerability Summary Table

CVE IDVulnerability TitleCVSS (v3.1)SeverityExploitabilityExploit AvailabilityAttack Vector
CVE-2026-22609unsafe_imports() fails to detect RCE-capable modules8.8HighEasyPublic techniquesMalicious pickle
CVE-2026-22608ctypes + pydoc abuse chain bypasses detection9.1CriticalModeratePublic techniquesMalicious pickle
CVE-2026-22607cProfile misuse leads to arbitrary code execution8.6HighEasyConceptual PoCMalicious pickle
CVE-2026-22606runpy module misclassification enables RCE9.0CriticalEasyPublic techniquesMalicious pickle

Common Root Cause

All four vulnerabilities stem from incomplete modeling of Python standard library behavior during pickle inspection.

Fickling attempts to classify imports and function calls as “safe” or “unsafe,” but:

  • Some standard library modules can indirectly execute code
  • Some modules are treated as data-only or inspection-only, when they are not
  • Some execution paths are context-dependent and only become dangerous when chained

Attackers exploit these blind spots by crafting pickle payloads that look harmless during inspection but execute commands at runtime.

Impact

  • Remote Code Execution (RCE)
  • Complete application compromise
  • Data theft or destruction
  • Lateral movement in internal networks
  • CI/CD pipeline poisoning
  • Model supply-chain compromise (ML environments)

CVE-2026-22609

unsafe_imports() Fails to Detect RCE-Capable Modules

What Goes Wrong

Fickling’s unsafe_imports() function relies on a static allow/block list of modules. Certain Python standard modules are assumed to be non-executable but can invoke dynamic imports, subprocess calls, or loaders internally.

How It Can Be Exploited

  1. Attacker crafts a pickle importing a “trusted” standard module
  2. That module internally loads or executes attacker-controlled code
  3. Fickling marks the pickle as safe
  4. RCE occurs during deserialization

Example Abuse Behavior

  • Importing a module that dynamically resolves symbols
  • Triggering execution via object initialization or callbacks

MITRE ATT&CK Mapping

  • T1059.006 – Python execution
  • T1027 – Obfuscated payload delivery
  • T1203 – Exploitation for client execution

Detection Guidance

Indicators

  • Pickles importing rarely-used stdlib modules
  • Nested imports during deserialization
  • Execution without explicit exec() or eval()

Payload Characteristics

  • No obvious OS command
  • Uses import resolution or object hooks

Detection Rules (Logic-Based)

  • Flag pickle files importing modules that:
    • Perform dynamic imports
    • Use loaders, specs, or module execution hooks
  • Treat all imports as untrusted unless explicitly allowlisted

Relevant Log Sources

  • Application logs during deserialization
  • Python audit hooks
  • Runtime import tracing
  • EDR command execution logs

CVE-2026-22608

ctypes + pydoc Chain Allows Detection Bypass

What Goes Wrong

Individually, ctypes and pydoc appear benign. Together, they can:

  • Load shared libraries
  • Resolve symbols dynamically
  • Execute native code

Fickling does not detect cross-module execution chains.

How It Can Be Exploited

  1. Pickle imports pydoc to locate objects
  2. ctypes loads a system library
  3. Function pointers are resolved and executed
  4. Native code execution occurs

Why This Is Dangerous

  • No shell commands required
  • No subprocess usage
  • Execution happens in-memory

MITRE ATT&CK Mapping

  • T1106 – Native API execution
  • T1055 – Process injection (conceptual)
  • T1059.006 – Python execution

Detection Guidance

Indicators

  • Pickle files referencing ctypes.CDLL
  • Symbol resolution patterns
  • Memory execution behavior

Detection Rules

  • Block any pickle referencing ctypes
  • Treat pydoc resolution as unsafe in pickle context
  • Alert on native library loading during deserialization

Log Sources

  • Python runtime logs
  • System library load events
  • EDR memory execution alerts

CVE-2026-22607

cProfile Misuse Leads to Malicious Pickle Execution

What Goes Wrong

cProfile is designed for profiling, not security. When misused:

  • Profiling hooks can execute arbitrary callables
  • Function references embedded in pickle objects get executed

Fickling misclassifies profiling operations as non-executable.

How It Can Be Exploited

  1. Attacker embeds callable objects in profiling context
  2. cProfile executes them during profiling
  3. Malicious code runs silently

MITRE ATT&CK Mapping

  • T1059.006 – Python execution
  • T1569 – System service execution
  • T1203 – Client execution

Detection Guidance

Indicators

  • Pickle files referencing profiling modules
  • Unexpected function calls during profiling

Detection Rules

  • Disallow profiling modules in pickle entirely
  • Flag any callable embedded in serialized objects

Log Sources

  • Python function-call traces
  • Application profiling logs

CVE-2026-22606

runpy Module Misclassification Enables RCE

What Goes Wrong

runpy is used to execute Python modules as scripts.
Fickling treats it as a loader, not an executor.

How It Can Be Exploited

  1. Pickle references runpy.run_module
  2. Attacker-controlled module is executed
  3. Code runs as if invoked from CLI

Why This Is Severe

  • Direct execution
  • Minimal payload complexity
  • Works in restricted environments

MITRE ATT&CK Mapping

  • T1059.006 – Python execution
  • T1204 – User execution (indirect)
  • T1027 – Obfuscation

Detection Guidance

Indicators

  • runpy usage in pickle
  • Module execution during deserialization

Detection Rules

  • Treat runpy as always unsafe
  • Alert on any runtime module execution

Log Sources

  • Application execution logs
  • Python audit hooks
  • EDR process execution telemetry

Official Patch Information

Status: Fixed by upstream
Action Required: Immediate upgrade

What the Patch Changes

  • Reclassifies multiple stdlib modules as unsafe
  • Improves execution-path modeling
  • Blocks chained execution patterns
  • Introduces stricter pickle inspection logic

Official Patch Link (Upstream Only):
https://github.com/fickling/fickling/releases

Final Recommendation

  • Do not deserialize untrusted pickle files
  • Upgrade Fickling immediately
  • Add runtime monitoring in addition to static inspection
  • Treat Python stdlib as execution-capable unless proven otherwise

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.