Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
OCaml: Untrusted Code Can Run on Your System
OESA-2026-1524
Summary
A security update is available for OCaml, a programming language used to build software. If not updated, an attacker could potentially run malicious code on your system. We recommend applying the security update to ensure your system remains secure.
What to do
- Update ocaml to version 4.14.1-6.oe2403sp1.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | ocaml | <= 4.14.1-6.oe2403sp1 | 4.14.1-6.oe2403sp1 |
Original title
ocaml security update
Original description
OCaml is a high-level, strongly-typed, functional and object-oriented programming language from the ML family of languages. This package includes runtime environment, X11 support ,Documentation generator and emacs.
Security Fix(es):
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.(CVE-2026-28364)
Security Fix(es):
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.(CVE-2026-28364)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-28364 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026