CVE-2026-28364

In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.

CVSS v3 7.9 HIGH

7.9^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.5 / Impact : 4.7

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json	Vendor Advisory
https://osv.dev/vulnerability/OSEC-2026-01	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ocaml:ocaml::::::::
	cpe:2.3:a:ocaml:ocaml::::::::

History

06 Mar 2026, 19:15

Type	Values Removed	Values Added
First Time		Ocaml Ocaml ocaml
CPE		cpe:2.3:a:ocaml:ocaml::::::::
References	~~() https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json -~~	() https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json - Vendor Advisory
References	~~() https://osv.dev/vulnerability/OSEC-2026-01 -~~	() https://osv.dev/vulnerability/OSEC-2026-01 - Third Party Advisory

27 Feb 2026, 14:06

Type	Values Removed	Values Added
Summary		(es) En OCaml anterior a 4.14.3 y 5.x anterior a 5.4.1, un desbordamiento de lectura de búfer en la deserialización de Marshal (runtime/intern.c) permite la ejecución remota de código a través de una cadena de ataque multifase. La vulnerabilidad radica en la falta de validación de límites en la función readblock(), que realiza operaciones memcpy() sin límites utilizando longitudes controladas por el atacante a partir de datos Marshal manipulados.

27 Feb 2026, 04:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-27 04:16

Updated : 2026-03-06 19:15

NVD link : CVE-2026-28364

Mitre link : CVE-2026-28364

CVE.ORG link : CVE-2026-28364

JSON object : View

Products Affected

ocaml

ocaml

CWE

CWE-126

Buffer Over-read

{"id": "CVE-2026-28364", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.9, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.5}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2026-02-27T04:16:03.410", "references": [{"url": "https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://osv.dev/vulnerability/OSEC-2026-01", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-126"}]}], "descriptions": [{"lang": "en", "value": "In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data."}, {"lang": "es", "value": "En OCaml anterior a 4.14.3 y 5.x anterior a 5.4.1, un desbordamiento de lectura de b\u00fafer en la deserializaci\u00f3n de Marshal (runtime/intern.c) permite la ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de una cadena de ataque multifase. La vulnerabilidad radica en la falta de validaci\u00f3n de l\u00edmites en la funci\u00f3n readblock(), que realiza operaciones memcpy() sin l\u00edmites utilizando longitudes controladas por el atacante a partir de datos Marshal manipulados."}], "lastModified": "2026-03-06T19:15:08.113", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C54A8C4D-61D8-446B-8DCA-FBF8394EE7B6", "versionEndExcluding": "4.14.3"}, {"criteria": "cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "296325F6-F724-4C88-9A80-6D5696A35225", "versionEndExcluding": "5.4.1", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}