Description
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.
Published: 2026-02-27
Score: 7.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

The vulnerability originates from missing bounds checking in OCaml's readblock() routine used during Marshal deserialization. When an attacker supplies crafted Marshal data, the routine performs memcpy calls with lengths derived from that data, causing an out‑of‑bounds read and an unchecked memory copy. This flaw enables an attacker to execute arbitrary code with the privileges of the running OCaml process. The weakness is classified as a buffer over‑read (CWE‑125) and an unchecked memory copy (CWE‑126).

Affected Systems

OCaml versions before 4.14.3 and 5.x before 5.4.1 are impacted. The issue affects the runtime component that many applications rely on for deserializing data received from external sources. Any deployment that uses the default Marshal module to process untrusted input is at risk, regardless of the operating environment.

Risk and Exploitability

The CVSS score of 7.9 indicates a high severity, while the EPSS score indicates the likelihood of current exploitation is very low but not zero. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exfiltration requires an attacker to deliver a specifically crafted Marshal payload to the vulnerable application, typically through a network or file channel. The multi‑phase attack chain relies on the unchecked memory copy performed during deserialization, and a successful exploit would allow the attacker to run arbitrary code on the host with the same privileges as the OCaml runtime.

Generated by OpenCVE AI on April 17, 2026 at 14:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OCaml to version 4.14.3 or later, or 5.4.1 or newer, to obtain the bound‑checking fix.
  • If a timely upgrade is not possible, ensure that the Marshal module is only used to deserialize data from fully verified and trusted sources; refuse to process data from external or untrusted inputs.
  • Apply a memory‑safety tool or compiler option (e.g., address sanitizer) to detect or prevent out‑of‑bounds reads during development and testing, and consider switching to an alternative serialization library that performs explicit bounds validation.

Generated by OpenCVE AI on April 17, 2026 at 14:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Title ocaml: OCaml: Remote code execution via buffer over-read in Marshal deserialization
Weaknesses CWE-125
References
Metrics threat_severity

None

 threat_severity

Important

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.
First Time appeared Ocaml
Ocaml ocaml
Weaknesses CWE-126
CPEs cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*
Vendors & Products Ocaml
Ocaml ocaml
References
Metrics cvssV3_1

{'score': 7.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

Ocaml Ocaml
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-02-27T15:49:06.382Z

Reserved: 2026-02-27T03:54:53.320Z

Link: CVE-2026-28364

cve-icon Vulnrichment

Updated: 2026-02-27T15:49:01.471Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T04:16:03.410

Modified: 2026-03-06T19:15:08.113

Link: CVE-2026-28364

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-27T03:54:53Z

Links: CVE-2026-28364 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses