Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.8
OCaml Deserialization Allows Remote Code Execution
CVE-2026-28364
Summary
OCaml versions 4.14.3 and earlier, and 5.x before 5.4.1, contain a security flaw that allows an attacker to execute malicious code on a system. This happens when a specially crafted file is deserialized, potentially allowing an attacker to take control of the system. Update to the latest version of OCaml to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| ocaml | ocaml | <= 4.14.3 | – |
| ocaml | ocaml | > 5.0.0 , <= 5.4.1 | – |
Original title
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability ste...
Original description
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.
nvd CVSS3.1
7.8
Vulnerability type
CWE-126
- https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-0... Vendor Advisory
- https://osv.dev/vulnerability/OSEC-2026-01 Third Party Advisory
Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026