OCaml fixes Marshal deserialization buffer over-read that can enable RCE (CVE-2026-28364)

What happened

MITRE published CVE-2026-28364 on 2026-02-27T03:54:53.458Z, describing a buffer over-read in OCaml Marshal deserialization (noted as runtime/intern.c).

The CVE record states the issue is caused by missing bounds validation in the readblock() function, which can result in unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.

The CVE record further states this can enable remote code execution via a multi-phase attack chain. The record includes a CVSS v3.1 score of 7.9 (High) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N.

Who is impacted

• OCaml versions < 4.14.3 are affected.
• OCaml 5.x versions >= 5.0.0 and < 5.4.1 are affected.
• The affected package is identified as pkg:opam/ocaml in the CVE record.

What to do now

• Upgrade OCaml to 4.14.3 (for the 4.x line) or to 5.4.1 (for the 5.x line) or later.
• Review any components that deserialize Marshal data and ensure it is not treated as safe when sourced from untrusted inputs.

Additional Information

• CWE: CWE-126 (Buffer Over-read).
• The CVE record references the OCaml security advisory entry OSEC-2026-01 (OSV/GitHub advisory metadata) for additional vendor-side context.