vulnerability
Amazon Linux 2023: CVE-2026-28364: Important priority package update for ocaml
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:L/AC:L/Au:N/C:C/I:P/A:N) | Feb 27, 2026 | Mar 27, 2026 | Mar 31, 2026 |
Severity
6
CVSS
(AV:L/AC:L/Au:N/C:C/I:P/A:N)
Published
Feb 27, 2026
Added
Mar 27, 2026
Modified
Mar 31, 2026
Description
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.
A flaw was found in OCaml. A remote attacker could exploit a buffer over-read vulnerability during Marshal deserialization by providing specially crafted data. This issue stems from missing bounds validation in the readblock() function, which performs unbounded memory copy operations. Successful exploitation could lead to remote code execution.
A flaw was found in OCaml. A remote attacker could exploit a buffer over-read vulnerability during Marshal deserialization by providing specially crafted data. This issue stems from missing bounds validation in the readblock() function, which performs unbounded memory copy operations. Successful exploitation could lead to remote code execution.
Solutions
amazon-linux-2023-upgrade-ocamlamazon-linux-2023-upgrade-ocaml-compiler-libsamazon-linux-2023-upgrade-ocaml-debuginfoamazon-linux-2023-upgrade-ocaml-debugsourceamazon-linux-2023-upgrade-ocaml-docsamazon-linux-2023-upgrade-ocaml-ocamldocamazon-linux-2023-upgrade-ocaml-ocamldoc-debuginfoamazon-linux-2023-upgrade-ocaml-runtimeamazon-linux-2023-upgrade-ocaml-runtime-debuginfoamazon-linux-2023-upgrade-ocaml-source
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.