In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer...
High severity
Unreviewed
Published
Feb 27, 2026
to the GitHub Advisory Database
•
Updated Jun 30, 2026
Description
Published by the National Vulnerability Database
Feb 27, 2026
Published to the GitHub Advisory Database
Feb 27, 2026
Last updated
Jun 30, 2026
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.
References