{"id":"CVE-2026-14535","summary":"Fickling MLAllowlist analysis pass rendered inoperative by shared mutable state in AnalysisContext.shorten_code()","details":"In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports — it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deserialization while fickling's check_safety() returns LIKELY_SAFE. The fickling.load() API chains check_safety() into pickle.loads() as an explicit security gate, meaning a LIKELY_SAFE verdict causes the payload to be deserialized and executed. The root cause is shared mutable state between independently-correct analysis passes — UnsafeImportsML works as designed in isolation, MLAllowlist works as designed in isolation, but the shared reported_shortened_code set causes UnsafeImportsML to poison MLAllowlist's deduplication logic.","aliases":["GHSA-cffv-grgg-g429"],"modified":"2026-07-08T08:12:23.140002755Z","published":"2026-07-04T13:31:14.937Z","database_specific":{"cwe_ids":["CWE-693"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14535.json","cna_assigner":"BombadilSystems"},"references":[{"type":"WEB","url":"https://github.com/trailofbits/fickling/releases/tag/v0.1.12"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/14xxx/CVE-2026-14535.json"},{"type":"ADVISORY","url":"https://github.com/trailofbits/fickling/security/advisories/GHSA-cffv-grgg-g429"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-14535"},{"type":"FIX","url":"https://github.com/trailofbits/fickling/commit/41ce7cb01edd97072994039574a2301ebb3f463d"},{"type":"FIX","url":"https://github.com/trailofbits/fickling/pull/278"},{"type":"PACKAGE","url":"https://pypi.org/project/fickling/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/trailofbits/fickling","events":[{"introduced":"0"},{"fixed":"41ce7cb01edd97072994039574a2301ebb3f463d"},{"fixed":"c3c695cdcce451c04dfe892802675161614287a2"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"0.1.11"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v0.1.11","v0.1.10","v0.1.9","v0.1.8","v0.1.7","v0.1.6","v0.1.5","v0.1.4","master","v0.1.3","v0.1.2","v0.1.1","v0.1.0","v0.0.8","v0.0.7","v0.0.6","v0.0.5","v0.0.4","v0.0.3","v0.0.2","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-14535.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}