CVE-2026-28364

Name of the Vulnerable Software and Affected Versions OCaml versions prior to 4.14.3 and 5.x versions prior to 5.4.1

Description A flaw exists in OCaml's Marshal deserialization process (within runtime/intern.c) that could allow for remote code execution. This issue stems from a missing bounds check in the readblock() function, which allows unbounded memcpy() operations using lengths controlled by an attacker from crafted Marshal data. The Marshal.from channel, Marshal.from bytes, Marshal.from string, Stdlib.input value, and Pervasives.input value functions are affected when processing data from untrusted sources. The vulnerability can be triggered by corrupted or malicious marshaled data that causes undefined behavior in the runtime system when unmarshaled.

Recommendations Upgrade to OCaml version 4.14.3 or later. Upgrade to OCaml version 5.4.1 or later.