CVE-2026-3490 picklescan CVE debrief

Who should care

Developers and administrators using the picklescan library, especially in environments where remote code execution could have significant impacts, should prioritize updating to version 1.0.4 or later. This vulnerability's critical severity and potential for remote code execution make it a high-priority concern for security teams.

Technical summary

The picklescan library, prior to version 1.0.4, is vulnerable to a blocklist bypass due to its failure to properly block the `pkgutil.resolve_name` function. This function can be exploited through indirect REDUCE calls, allowing attackers to invoke dangerous functions that were intended to be blocked. The vulnerability is characterized by its high CVSS score of 10, indicating a critical severity level. The attack vector is network-based, with low attack complexity and no prerequisites for exploitation.

Defensive priority

high

Recommended defensive actions

• Update picklescan to version 1.0.4 or later
• Review and restrict usage of `pkgutil.resolve_name` in applications
• Implement additional security measures to monitor and limit REDUCE calls
• Conduct regular vulnerability assessments to identify outdated libraries
• Consider alternative libraries with more robust security features
• Enhance network security to detect and prevent exploitation attempts

Evidence notes

The information provided is based on data from official sources, including the CVE record and NVD details. The vulnerability's existence and details have been confirmed by multiple sources, including Vulncheck and GitHub advisories.

Official resources