PatchSiren cyber security CVE debrief
CVE-2026-28364 OCaml CVE debrief
CVE-2026-28364 is a high-severity vulnerability in OCaml, a multi-paradigm programming language. The vulnerability is caused by a buffer over-read in Marshal, a built-in serialization mechanism in OCaml. This vulnerability allows for remote code execution through a multi-phase attack chain. The issue arises from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data. This vulnerability affects OCaml versions before 4.14.3 and 5.x before 5.4.1.
- Vendor
- OCaml
- Product
- Unknown
- CVSS
- HIGH 7.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-27
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-02-27
- Advisory updated
- 2026-06-30
Who should care
Users of OCaml, especially those using versions before 4.14.3 and 5.x before 5.4.1, should be concerned about this vulnerability. This includes developers and administrators who use OCaml for building applications, as well as users who rely on software built with OCaml. Given the high severity and potential for remote code execution, immediate attention is required to assess and mitigate the risk.
Technical summary
The vulnerability is caused by a buffer over-read in the Marshal deserialization mechanism of OCaml. Specifically, the readblock() function in runtime/intern.c lacks bounds validation, allowing for unbounded memcpy() operations with attacker-controlled lengths. This can lead to remote code execution through a multi-phase attack chain. The vulnerability has been assigned a CVSS score of 7.9 and is considered high severity. Affected versions include OCaml before 4.14.3 and 5.x before 5.4.1.
Defensive priority
High priority should be given to updating OCaml to versions 4.14.3 or later and 5.4.1 or later. In the meantime, defenders should review their inventory of OCaml-based applications and assess the potential impact of this vulnerability.
Recommended defensive actions
- Update OCaml to version 4.14.3 or later for users of the 4.x branch.
- Update OCaml to version 5.4.1 or later for users of the 5.x branch.
- Review and assess the inventory of OCaml-based applications for potential exposure.
- Implement compensating controls such as monitoring for suspicious Marshal deserialization activity.
- Consider applying patches or mitigations provided by vendors or the open-source community.
Evidence notes
The CVE-2026-28364 vulnerability was publicly disclosed on February 27, 2026, and has since been modified on June 30, 2026. The vulnerability affects OCaml versions before 4.14.3 and 5.x before 5.4.1. The CVSS score is 7.9, indicating high severity. The vulnerability allows for remote code execution through a multi-phase attack chain due to a buffer over-read in Marshal deserialization.
Official resources
-
CVE-2026-28364 CVE record
CVE.org
-
CVE-2026-28364 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.