CVE-2026-28364 – OCaml Marshal Deserialization Buffer Over-Read Remote Code Execution

CVE ID : CVE-2026-28364

Published : Feb. 27, 2026, 4:16 a.m. | 55 minutes ago

Description : In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.

Severity: 7.9 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…