PT-2018-3635 · Inria+2 · Ocaml+2

Maximilian Tschirschnitz

Published

2018-04-06

Updated

2021-03-15

CVE-2018-9838

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions OCaml version 4.06.0

Description The issue is related to an integer overflow in the caml ba deserialize function, which can be exploited when marshalled data from an untrusted source is accepted. This can lead to a denial of service due to memory corruption or potentially allow the execution of arbitrary code via a crafted object. The vulnerability may also allow a remote attacker to access or modify confidential data.

Recommendations For OCaml version 4.06.0, as a temporary workaround, consider restricting the acceptance of marshalled data from untrusted sources to minimize the risk of exploitation. Avoid using the caml ba deserialize function with untrusted input until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

DoS

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190

Related Identifiers

BDU:2021-01481

CVE-2018-9838

MGASA-2019-0124

OPENSUSE-SU-2018_1561-1

OPENSUSE-SU-2024:10587-1

OSEC-2018-01

SUSE-SU-2018:0983-1

SUSE-SU-2018:1075-1

SUSE-SU-2018:1493-1

SUSE-SU-2018:1494-1

SUSE-SU-2018_0983-1

SUSE-SU-2018_1075-1

SUSE-SU-2018_1493-1

SUSE-SU-2018_1494-1

USN-4778-1

Affected Products

Ocaml

Suse

Ubuntu

PT-2018-3635 · Inria+2 · Ocaml+2

CVE-2018-9838

Weakness Enumeration

Related Identifiers

Affected Products

References · 32