CVE-2026-22606 is a vulnerability in the Python tool Fickling, a pickling decompiler and static analyzer designed to detect malicious pickle payloads. Pickle deserialization in Python is inherently risky because it can execute arbitrary code embedded in the serialized data. Fickling attempts to mitigate this risk by analyzing pickle contents and classifying them as safe, suspicious, or overtly malicious. However, versions up to 0.1.6 fail to treat the runpy module as unsafe. The runpy module allows dynamic execution of Python code via run_path() and run_module(), which can be leveraged by attackers to execute arbitrary code during deserialization. Due to this oversight, malicious pickles using runpy are only flagged as suspicious rather than overtly malicious, potentially misleading users or automated systems relying on Fickling's classification. This can lead to attacker-controlled code execution if such pickles are deserialized. The vulnerability does not require authentication or user interaction and can be exploited remotely by supplying crafted pickle data. The flaw is categorized under CWE-184 (Incomplete List of Disallowed Inputs) and CWE-502 (Deserialization of Untrusted Data). The issue was publicly disclosed on January 10, 2026, with a CVSS 4.0 score of 8.9, indicating high severity. No known exploits have been reported yet, but the risk is significant given the nature of pickle deserialization. The vulnerability is fixed in Fickling version 0.1.7, which properly treats runpy as unsafe, preventing misclassification.

For European organizations, the impact of this vulnerability is substantial, particularly for those relying on Fickling as a security gate in workflows that deserialize pickle data from untrusted or semi-trusted sources. Successful exploitation can lead to remote code execution, compromising confidentiality, integrity, and availability of affected systems. This could result in data breaches, unauthorized access, lateral movement within networks, and potential disruption of critical services. Organizations in sectors such as finance, healthcare, government, and critical infrastructure, where Python-based automation or data processing pipelines are common, are especially at risk. The vulnerability's ease of exploitation without authentication or user interaction increases the threat level. Additionally, the misclassification may lead to false confidence in the safety of deserialized data, increasing exposure. Although no exploits are currently known in the wild, the vulnerability's presence in security tooling itself amplifies risk, as it undermines trust in detection mechanisms.

European organizations should immediately upgrade Fickling to version 0.1.7 or later, which patches the vulnerability by correctly classifying runpy usage as overtly malicious. Until upgrade is possible, organizations should implement additional manual or automated checks for pickle data that invoke runpy or similar dynamic execution modules. Avoid deserializing pickle data from untrusted or unauthenticated sources altogether. Employ defense-in-depth by isolating pickle deserialization processes in sandboxed or containerized environments with minimal privileges. Monitor logs and alerts for suspicious pickle deserialization activities, especially those involving runpy or unexpected module executions. Incorporate alternative safer serialization formats (e.g., JSON, protobuf) where feasible. Conduct security awareness training for developers and security teams about the risks of pickle deserialization and the limitations of current detection tools. Finally, review and update incident response plans to address potential exploitation scenarios involving malicious pickle payloads.