Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
OCaml: Unvalidated Data Execution from Untrusted Input
OESA-2026-1526
Summary
A security update for OCaml fixes a bug that could allow an attacker to execute unauthorized code on a system by sending specially crafted data. This vulnerability affects versions of OCaml before 4.14.3 and 5.4.1. To protect your system, update to the latest version of OCaml as soon as possible.
What to do
- Update ocaml to version 4.14.1-6.oe2403sp3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | ocaml | <= 4.14.1-6.oe2403sp3 | 4.14.1-6.oe2403sp3 |
Original title
ocaml security update
Original description
OCaml is a high-level, strongly-typed, functional and object-oriented programming language from the ML family of languages. This package includes runtime environment, X11 support ,Documentation generator and emacs.
Security Fix(es):
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.(CVE-2026-28364)
Security Fix(es):
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.(CVE-2026-28364)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-28364 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026