DEBIAN-CVE-2026-28364

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-28364

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-28364.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-28364

Upstream

CVE-2026-28364

Published

2026-02-27T04:16:03.410Z

Modified

2026-03-07T11:01:19.181309Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.

References

https://security-tracker.debian.org/tracker/CVE-2026-28364

Affected packages

Debian:11 / ocaml

Package

Name: ocaml
Purl: pkg:deb/debian/ocaml?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.11.1-4

4.11.1-5

4.13.1-1

4.13.1-2

4.13.1-3

4.13.1-4

4.13.1-5~exp1

4.13.1-5

4.13.1-6

4.14.1-1~exp1

4.14.1-1

4.14.1-1+loong64.2

5.*

5.2.0-1~exp1

5.2.0-1~exp2

5.2.0-1~exp3

5.2.0-1~exp4

5.2.0-1

5.2.0-2

5.2.0-3

5.2.0-3+hurd.1

5.2.0-3+hurd.2

5.3.0-1~exp1

5.3.0-1~exp2

5.3.0-1

5.3.0-1+hurd.1

5.3.0-2

5.3.0-3

5.4.0-1~exp1

5.4.0-1~exp2

5.4.0-1~exp3

5.4.0-1

5.4.0-2

5.4.0-3

5.4.1-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-28364.json"

Debian:12 / ocaml

Package

Name: ocaml
Purl: pkg:deb/debian/ocaml?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

4.*

4.13.1-4

4.13.1-5~exp1

4.13.1-5

4.13.1-6

4.14.1-1~exp1

4.14.1-1

4.14.1-1+loong64.2

5.*

5.2.0-1~exp1

5.2.0-1~exp2

5.2.0-1~exp3

5.2.0-1~exp4

5.2.0-1

5.2.0-2

5.2.0-3

5.2.0-3+hurd.1

5.2.0-3+hurd.2

5.3.0-1~exp1

5.3.0-1~exp2

5.3.0-1

5.3.0-1+hurd.1

5.3.0-2

5.3.0-3

5.4.0-1~exp1

5.4.0-1~exp2

5.4.0-1~exp3

5.4.0-1

5.4.0-2

5.4.0-3

5.4.1-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-28364.json"

Debian:13 / ocaml

Package

Name: ocaml
Purl: pkg:deb/debian/ocaml?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.3.0-3

5.4.0-1~exp1

5.4.0-1~exp2

5.4.0-1~exp3

5.4.0-1

5.4.0-2

5.4.0-3

5.4.1-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-28364.json"

Debian:14 / ocaml

Package

Name: ocaml
Purl: pkg:deb/debian/ocaml?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.3.0-3

5.4.0-1~exp1

5.4.0-1~exp2

5.4.0-1~exp3

5.4.0-1

5.4.0-2

5.4.0-3

5.4.1-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-28364.json"