Description
In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed.
Published: 2026-03-27
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Memory Read via Integer Overflow
Action: Patch Now
AI Analysis

Impact

An integer overflow occurs in OCaml's Bigarray.reshape function when processing untrusted data, allowing the program to read memory beyond intended bounds. This flaw can expose sensitive information from the process's address space, representing a moderate confidentiality breach. No direct execution or denial‑of‑service effect is claimed, but the ability to read arbitrary memory increases the attack surface significantly.

Affected Systems

Unpatched OCaml versions up to and including 4.14.3 are affected. The issue was identified in the OCaml toolchain, specifically the Bigarray library. Updating to versions released after the patch in the referenced pull request eliminates the vulnerability.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to provide crafted input to a program that uses OCaml's Bigarray.reshape. While the attack vector is likely local or within a controlled environment, any application that processes untrusted data with OCaml remains at risk until patched.

Generated by OpenCVE AI on March 27, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OCaml distribution to a version published after the fix in pull request #14674 (at least 4.14.4).
  • Recompile all applications that link against OCaml’s Bigarray module to ensure they use the patched library.
  • If an immediate upgrade is infeasible, isolate or sanitize untrusted input before calling Bigarray.reshape, and limit its use to trusted data sources.
  • Regularly check the OCaml project’s repository and security advisories for further updates or notices.

Generated by OpenCVE AI on March 27, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Title Integer Overflow in OCaml Bigarray.reshape Allowing Arbitrary Memory Read ocaml: OCaml: Information disclosure via integer overflow in Bigarray.reshape
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 27 Mar 2026 09:30:00 +0000

Type Values Removed Values Added
Title Integer Overflow in OCaml Bigarray.reshape Allowing Arbitrary Memory Read

Fri, 27 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed.
First Time appeared Ocaml
Ocaml ocaml
Weaknesses CWE-190
CPEs cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*
Vendors & Products Ocaml
Ocaml ocaml
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Ocaml Ocaml
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-27T13:45:47.350Z

Reserved: 2026-03-27T04:55:57.875Z

Link: CVE-2026-34353

cve-icon Vulnrichment

Updated: 2026-03-27T13:40:03.293Z

cve-icon NVD

Status : Received

Published: 2026-03-27T06:16:39.333

Modified: 2026-03-27T06:16:39.333

Link: CVE-2026-34353

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-27T04:55:58Z

Links: CVE-2026-34353 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:22:18Z

Weaknesses