CVE-2026-28364 Overview
A buffer over-read vulnerability has been identified in OCaml's Marshal deserialization functionality (runtime/intern.c) affecting versions before 4.14.3 and 5.x before 5.4.1. This vulnerability enables remote code execution through a multi-phase attack chain. The flaw stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.
Critical Impact
Attackers can exploit this vulnerability to execute arbitrary code by crafting malicious Marshal data that triggers buffer over-read conditions, potentially leading to full system compromise.
Affected Products
- OCaml versions before 4.14.3
- OCaml 5.x versions before 5.4.1
- Applications using OCaml Marshal deserialization with untrusted input
Discovery Timeline
- 2026-02-27 - CVE CVE-2026-28364 published to NVD
- 2026-02-27 - Last updated in NVD database
Technical Details for CVE-2026-28364
Vulnerability Analysis
This vulnerability is classified as CWE-126 (Buffer Over-read), occurring within OCaml's Marshal deserialization mechanism. The vulnerability resides in the readblock() function within runtime/intern.c, where insufficient bounds checking allows attackers to specify arbitrary length values in crafted Marshal data.
When processing serialized data, the readblock() function copies data using memcpy() without properly validating that the specified length falls within the bounds of allocated memory. An attacker can craft malicious Marshal data containing oversized length fields, causing the function to read beyond the intended buffer boundaries. This out-of-bounds read can expose sensitive memory contents and, through a multi-phase attack chain, enable remote code execution.
The local attack vector requires an attacker to deliver crafted Marshal data to a target application, either through direct input or by compromising data sources that the application deserializes.
Root Cause
The root cause is the absence of proper bounds validation in the readblock() function before performing memcpy() operations. The function trusts length values embedded in the Marshal data without verifying they correspond to legitimate buffer sizes, creating an exploitable condition when processing malicious input.
Attack Vector
The attack requires local access and involves delivering specially crafted Marshal data to an OCaml application that deserializes untrusted input. The attacker constructs Marshal data with manipulated length fields that, when processed by the vulnerable readblock() function, cause the application to read beyond allocated buffer boundaries. This can leak sensitive information from adjacent memory regions and potentially be chained with other techniques to achieve code execution.
The vulnerability mechanism involves the readblock() function receiving attacker-controlled length parameters from the Marshal data stream. Without validation, these lengths are passed directly to memcpy(), causing reads that extend past the source buffer's boundaries. For detailed technical information, see the GitHub Security Advisory OSEC-2026-01.
Detection Methods for CVE-2026-28364
Indicators of Compromise
- Unusual memory access patterns in OCaml applications performing deserialization
- Crash dumps or core files indicating out-of-bounds memory reads in runtime/intern.c
- Application crashes occurring during Marshal data processing
- Anomalous Marshal data files with unusually large or malformed length fields
Detection Strategies
- Monitor for abnormal process behavior in OCaml applications handling external data
- Implement memory safety monitoring tools to detect out-of-bounds read attempts
- Analyze application logs for deserialization errors or unexpected terminations
- Deploy runtime application self-protection (RASP) solutions to detect exploitation attempts
Monitoring Recommendations
- Enable verbose logging for applications that deserialize Marshal data from external sources
- Implement file integrity monitoring on data files processed by OCaml applications
- Set up alerting for crash events in production OCaml services
- Monitor network traffic for unusually large or malformed data payloads targeting OCaml services
How to Mitigate CVE-2026-28364
Immediate Actions Required
- Upgrade OCaml to version 4.14.3 or later for the 4.x branch
- Upgrade OCaml 5.x installations to version 5.4.1 or later
- Audit applications for use of Marshal deserialization with untrusted input
- Implement input validation for any external data sources processed by OCaml applications
Patch Information
OCaml has released security patches addressing this vulnerability. Users should upgrade to OCaml 4.14.3 for the 4.x series or OCaml 5.4.1 for the 5.x series. The patches add proper bounds validation to the readblock() function in runtime/intern.c to prevent the buffer over-read condition.
For additional details, refer to the OSV Vulnerability Database entry for OSEC-2026-01.
Workarounds
- Avoid using Marshal deserialization on untrusted or externally-sourced data
- Implement strict input validation and sanitization before deserialization
- Use alternative serialization formats with built-in safety checks where possible
- Isolate OCaml applications processing external data in sandboxed environments
# Check current OCaml version
ocaml --version
# Update OCaml via opam (recommended)
opam update
opam switch create 4.14.3 # For 4.x branch
# or
opam switch create 5.4.1 # For 5.x branch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
