OCaml patches Marshal deserialization buffer over-read enabling RCE
TL;DR — A missing bounds check in OCaml's Marshal deserialization enables a buffer over-read that can be chained into remote code execution.
What happened
OCaml is a general-purpose programming language with an emphasis on safety and performance, used in finance, systems programming, and formal verification tooling. MITRE published CVE-2026-28364 describing a buffer over-read in OCaml's Marshal deserialization (runtime/intern.c). Missing bounds validation in readblock() allows unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data, enabling a multi-phase attack chain to RCE.
While OCaml's Marshal module has long documented that unmarshalling untrusted data is unsafe, this CVE demonstrates a concrete exploit chain with a CVSS 3.1 score of 7.9 (High) — making it worth patching even in environments that believe they only marshal trusted data.
Who is impacted
- OCaml versions
< 4.14.3(4.x line). - OCaml 5.x versions
>= 5.0.0and< 5.4.1.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- Review any components that deserialize
Marshaldata and ensure untrusted inputs are never passed to it.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.