Bug 2443348 (CVE-2026-28364)

Summary: CVE-2026-28364 ocaml: OCaml: Remote code execution via buffer over-read in Marshal deserialization
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in OCaml. A remote attacker could exploit a buffer over-read vulnerability during Marshal deserialization by providing specially crafted data. This issue stems from missing bounds validation in the readblock() function, which performs unbounded memory copy operations. Successful exploitation could lead to remote code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2443780    
Bug Blocks:    

Description OSIDB Bzimport 2026-02-27 16:01:44 UTC 
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.