{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2026-28364", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-02-27T03:54:53.320Z", "datePublished": "2026-02-27T03:54:53.458Z", "dateUpdated": "2026-02-27T15:49:06.382Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageURL": "pkg:opam/ocaml", "product": "OCaml", "vendor": "OCaml", "versions": [{"lessThan": "4.14.3", "status": "affected", "version": "0", "versionType": "semver"}, {"lessThan": "5.4.1", "status": "affected", "version": "5.0.0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-126", "description": "CWE-126 Buffer Over-read", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-27T03:58:04.453Z"}, "references": [{"url": "https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json"}, {"url": "https://osv.dev/vulnerability/OSEC-2026-01"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.14.3"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.4.1"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-27T15:48:53.652379Z", "id": "CVE-2026-28364", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T15:49:06.382Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28364", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-27T15:48:53.652379Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-27T15:49:01.471Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.9, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "OCaml", "product": "OCaml", "versions": [{"status": "affected", "version": "0", "lessThan": "4.14.3", "versionType": "semver"}, {"status": "affected", "version": "5.0.0", "lessThan": "5.4.1", "versionType": "semver"}], "packageURL": "pkg:opam/ocaml", "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json"}, {"url": "https://osv.dev/vulnerability/OSEC-2026-01"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "descriptions": [{"lang": "en", "value": "In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-126", "description": "CWE-126 Buffer Over-read"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.14.3"}, {"criteria": "cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "5.4.1", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-02-27T03:58:04.453Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28364", "state": "PUBLISHED", "dateUpdated": "2026-02-27T15:49:06.382Z", "dateReserved": "2026-02-27T03:54:53.320Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-02-27T03:54:53.458Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*", "matchCriteriaId": "C54A8C4D-61D8-446B-8DCA-FBF8394EE7B6", "versionEndExcluding": "4.14.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*", "matchCriteriaId": "296325F6-F724-4C88-9A80-6D5696A35225", "versionEndExcluding": "5.4.1", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data."}, {"lang": "es", "value": "En OCaml anterior a 4.14.3 y 5.x anterior a 5.4.1, un desbordamiento de lectura de b\u00fafer en la deserializaci\u00f3n de Marshal (runtime/intern.c) permite la ejecuci\u00f3n remota de c\u00f3digo a trav\u00e9s de una cadena de ataque multifase. La vulnerabilidad radica en la falta de validaci\u00f3n de l\u00edmites en la funci\u00f3n readblock(), que realiza operaciones memcpy() sin l\u00edmites utilizando longitudes controladas por el atacante a partir de datos Marshal manipulados."}], "id": "CVE-2026-28364", "lastModified": "2026-03-06T19:15:08.113", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.7, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-27T04:16:03.410", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://osv.dev/vulnerability/OSEC-2026-01"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-126"}], "source": "cve@mitre.org", "type": "Primary"}]}

{"bugzilla": {"description": "ocaml: OCaml: Remote code execution via buffer over-read in Marshal deserialization", "id": "2443348", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2443348"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N", "status": "draft"}, "cwe": "CWE-125", "details": ["In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.", "A flaw was found in OCaml. A remote attacker could exploit a buffer over-read vulnerability during Marshal deserialization by providing specially crafted data. This issue stems from missing bounds validation in the readblock() function, which performs unbounded memory copy operations. Successful exploitation could lead to remote code execution."], "name": "CVE-2026-28364", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "ocaml", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Affected", "package_name": "ocaml", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Affected", "package_name": "ocaml", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "ocaml", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "ocaml", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-02-27T03:54:53Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-28364\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-28364\nhttps://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json\nhttps://osv.dev/vulnerability/OSEC-2026-01"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,4.14.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0,5.4.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "OCaml", "source": "cna", "vendor": "OCaml"}, "product": "ocaml", "vendor": "ocaml"}], "analysis": {"en": {"generated_at": "2026-04-17T14:03:55.440877+00:00", "value": {"mitigation_remediation": ["Upgrade OCaml to version 4.14.3 or later, or 5.4.1 or newer, to obtain the bound\u2011checking fix.", "If a timely upgrade is not possible, ensure that the Marshal module is only used to deserialize data from fully verified and trusted sources; refuse to process data from external or untrusted inputs.", "Apply a memory\u2011safety tool or compiler option (e.g., address sanitizer) to detect or prevent out\u2011of\u2011bounds reads during development and testing, and consider switching to an alternative serialization library that performs explicit bounds validation."], "summary": {"action": "Patch Now", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "OCaml versions before 4.14.3 and 5.x before 5.4.1 are impacted. The issue affects the runtime component that many applications rely on for deserializing data received from external sources. Any deployment that uses the default Marshal module to process untrusted input is at risk, regardless of the operating environment.", "description_and_impact": "The vulnerability originates from missing bounds checking in OCaml's readblock() routine used during Marshal deserialization. When an attacker supplies crafted Marshal data, the routine performs memcpy calls with lengths derived from that data, causing an out\u2011of\u2011bounds read and an unchecked memory copy. This flaw enables an attacker to execute arbitrary code with the privileges of the running OCaml process. The weakness is classified as a buffer over\u2011read (CWE\u2011125) and an unchecked memory copy (CWE\u2011126).", "risk_and_exploitability": "The CVSS score of 7.9 indicates a high severity, while the EPSS score indicates the likelihood of current exploitation is very low but not zero. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Exfiltration requires an attacker to deliver a specifically crafted Marshal payload to the vulnerable application, typically through a network or file channel. The multi\u2011phase attack chain relies on the unchecked memory copy performed during deserialization, and a successful exploit would allow the attacker to run arbitrary code on the host with the same privileges as the OCaml runtime."}}}}, "created": "2026-02-27T09:02:51.308292+00:00", "updated": "2026-04-17T14:15:21.795607+00:00", "vendors": ["ocaml", "ocaml$PRODUCT$ocaml"]}