In Trail of Bits fickling versions up to and including 0.1.11, the UnsafeImportsML analysis pass unconditionally calls AnalysisContext.shorten_code(node) on every import node it inspects, regardless of whether the import is flagged as unsafe. This call registers the shortened code representation in the shared AnalysisContext.reported_shortened_code set. When the MLAllowlist analysis pass subsequently runs, it calls the same shorten_code() method, receives already_reported=True for every import, and executes a continue statement that skips its allowlist check entirely. This renders MLAllowlist dead code for all imports — it never evaluates whether an import is in the ML allowlist or not. The MLAllowlist pass was designed to catch imports of modules outside the known-safe ML ecosystem (torch, numpy, transformers, etc.) that slip past the UnsafeImports denylist. With MLAllowlist inoperative, any standard library module not in the UNSAFE_IMPORTS denylist can be invoked via pickle deseriali
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-14535 is a logic error in Trail of Bits' fickling library (versions ≤0.1.11) affecting its static analysis passes for Python import security inspection. The vulnerability stems from unconditional state registration in the UnsafeImportsML analysis pass, which calls AnalysisContext.shorten_code() on every import node regardless of safety classification. This pollutes a shared state dictionary that subsequent analysis passes rely upon, causing the MLAllowlist pass to incorrectly classify imports as already-reported when they haven't been. The flaw impacts security practitioners and development teams using fickling for automated code security scanning, potentially allowing unsafe imports to bypass detection in analysis pipelines and compromising the integrity of import-level threat detection workflows.
While CVE-2026-14535 doesn't map directly to MITRE ATT&CK techniques, Casky's skills—leveraging Claude AI with extended reasoning capabilities—would detect this vulnerability pattern through analysis of control flow logic errors and state management flaws in static analysis tools themselves. Practitioners using Casky would observe findings related to CWE-693 (Protection Mechanism Failure) in their reports, identifying how analysis context state becomes unreliable when unconditional function calls pollute shared data structures. Detection would focus on the gap between intended security classification (unsafe vs. safe imports) and actual reporting behavior, revealing how state collision causes false negatives. This exemplifies why security tooling itself requires rigorous verification—a compromise in the analyzer directly undermines downstream threat detection capabilities.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-14535. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation