PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28364 OCaml CVE debrief

CVE-2026-28364 is a high-severity vulnerability in OCaml, a multi-paradigm programming language. The vulnerability is caused by a buffer over-read in Marshal, a built-in serialization mechanism in OCaml. This vulnerability allows for remote code execution through a multi-phase attack chain. The issue arises from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data. This vulnerability affects OCaml versions before 4.14.3 and 5.x before 5.4.1.

Vendor
OCaml
Product
Unknown
CVSS
HIGH 7.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-27
Original CVE updated
2026-06-30
Advisory published
2026-02-27
Advisory updated
2026-06-30

Who should care

Users of OCaml, especially those using versions before 4.14.3 and 5.x before 5.4.1, should be concerned about this vulnerability. This includes developers and administrators who use OCaml for building applications, as well as users who rely on software built with OCaml. Given the high severity and potential for remote code execution, immediate attention is required to assess and mitigate the risk.

Technical summary

The vulnerability is caused by a buffer over-read in the Marshal deserialization mechanism of OCaml. Specifically, the readblock() function in runtime/intern.c lacks bounds validation, allowing for unbounded memcpy() operations with attacker-controlled lengths. This can lead to remote code execution through a multi-phase attack chain. The vulnerability has been assigned a CVSS score of 7.9 and is considered high severity. Affected versions include OCaml before 4.14.3 and 5.x before 5.4.1.

Defensive priority

High priority should be given to updating OCaml to versions 4.14.3 or later and 5.4.1 or later. In the meantime, defenders should review their inventory of OCaml-based applications and assess the potential impact of this vulnerability.

Recommended defensive actions

  • Update OCaml to version 4.14.3 or later for users of the 4.x branch.
  • Update OCaml to version 5.4.1 or later for users of the 5.x branch.
  • Review and assess the inventory of OCaml-based applications for potential exposure.
  • Implement compensating controls such as monitoring for suspicious Marshal deserialization activity.
  • Consider applying patches or mitigations provided by vendors or the open-source community.

Evidence notes

The CVE-2026-28364 vulnerability was publicly disclosed on February 27, 2026, and has since been modified on June 30, 2026. The vulnerability affects OCaml versions before 4.14.3 and 5.x before 5.4.1. The CVSS score is 7.9, indicating high severity. The vulnerability allows for remote code execution through a multi-phase attack chain due to a buffer over-read in Marshal deserialization.

Official resources

This article is AI-assisted and based on the supplied source corpus.