Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
OCaml Deserialization Vulnerability Allows Remote Code Execution
OESA-2026-1523
Summary
The OCaml programming language has a security issue that allows hackers to run unauthorized code on a computer. This could happen if a hacker sends specially crafted data to a system where OCaml is being used. To protect your system, update OCaml to the latest version.
What to do
- Update ocaml to version 4.14.1-6.oe2403.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | ocaml | <= 4.14.1-6.oe2403 | 4.14.1-6.oe2403 |
Original title
ocaml security update
Original description
OCaml is a high-level, strongly-typed, functional and object-oriented programming language from the ML family of languages. This package includes runtime environment, X11 support ,Documentation generator and emacs.
Security Fix(es):
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.(CVE-2026-28364)
Security Fix(es):
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.(CVE-2026-28364)
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA... Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-28364 Vendor Advisory
Published: 6 Mar 2026 · Updated: 6 Mar 2026 · First seen: 6 Mar 2026