CVE-2026-28364 PUBLISHED

Assigner: mitre
Reserved: 27.02.2026 Published: 27.02.2026 Updated: 27.02.2026

In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
CVSS Score: 7.9

Attack Vector	Local	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	OCaml
Product	OCaml
Versions	Default: unaffected affected from 0 to 4.14.3 (excl.) affected from 5.0.0 to 5.4.1 (excl.)

References

https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json
https://osv.dev/vulnerability/OSEC-2026-01

Problem Types

CWE-126 Buffer Over-read CWE