Buffer Over-Read Vulnerability in OCaml Products by OCaml Software
CVE-2026-28364

7.9HIGH

Key Information:

Vendor: Ocaml
Status: Ocaml
Vendor: CVE Published:; 27 February 2026

What is CVE-2026-28364?

A buffer over-read vulnerability exists in OCaml versions prior to 4.14.3 and 5.x versions before 5.4.1, specifically within the Marshal deserialization process. This weakness results from inadequate bounds checking in the readblock() function, leading to unbounded memcpy() operations that can be exploited by attackers through a carefully crafted dataset. Successfully executing an attack can enable remote code execution, making it essential for users to apply appropriate security patches.

Affected Version(s)

OCaml 0 < 4.14.3

OCaml 5.0.0 < 5.4.1

References

https://github.com/ocaml/security-advisories/blob/generat...

https://osv.dev/vulnerability/OSEC-2026-01

CVSS V3.1

Score:

7.9

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 27, 2026
Vulnerability Reserved
Feb 27, 2026

CVE-2026-28364 Data

JSON

Ocaml

What is CVE-2026-28364?

Affected Version(s)

References

CVSS V3.1

Timeline