Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
OCaml: Malicious Data Can Execute Harmful Code Remotely
OESA-2026-1522
Summary
A security update is available for OCaml, a programming language, to prevent malicious data from being used to run unauthorized code remotely. This could allow an attacker to take control of a system. Update to the latest version of OCaml to fix this issue.
What to do
- Update ocaml to version 4.13.1-8.oe2203sp4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | ocaml | <= 4.13.1-8.oe2203sp4 | 4.13.1-8.oe2203sp4 |
Original title
ocaml security update
Original description
OCaml is a high-level, strongly-typed, functional and object-oriented programming language from the ML family of languages. This package includes runtime environment, X11 support ,Documentation generator and emacs.
Security Fix(es):
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.(CVE-2026-28364)
Security Fix(es):
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.(CVE-2026-28364)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-28364 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026