CVE-2026-28364

NameCVE-2026-28364
DescriptionIn OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1129317

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ocaml (PTS)bullseye4.11.1-4vulnerable
bookworm4.13.1-4vulnerable
trixie5.3.0-3vulnerable
forky, sid5.4.0-3vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ocamlsourceexperimental5.4.1-1~exp1
ocamlsource(unstable)(unfixed)1129317

Notes

https://osv.dev/vulnerability/OSEC-2026-01
Fixed by: https://github.com/ocaml/ocaml/commit/e3919fef436f89271bc30bbe8592851f7289fb68 (5.4.1)
Fixed by: https://github.com/ocaml/ocaml/commit/b0a2614684a52acded784ec213f14ddfe085d146 (4.13.3)
Search for package or bug name: Reporting problems