{"api_version":"1","generated_at":"2026-07-09T04:26:47+00:00","cve":"CVE-2026-28364","urls":{"html":"https://cve.report/CVE-2026-28364","api":"https://cve.report/api/cve/CVE-2026-28364.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-28364","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-28364"},"summary":{"title":"CVE-2026-28364","description":"In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.","state":"PUBLISHED","assigner":"mitre","published_at":"2026-02-27 04:16:03","updated_at":"2026-06-30 03:18:01"},"problem_types":["CWE-126","CWE-125","CWE-126 CWE-126 Buffer Over-read","CWE-125 Out-of-bounds Read"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"7.8","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"ADP","type":"CVSS","score":"7.9","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.9,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","version":"3.1"}},{"version":"3.1","source":"cve@mitre.org","type":"Secondary","score":"7.9","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","baseScore":7.9,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","score":"7.9","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","baseScore":7.9,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.9","severity":"HIGH","vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","data":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.9,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://osv.dev/vulnerability/OSEC-2026-01","name":"https://osv.dev/vulnerability/OSEC-2026-01","refsource":"cve@mitre.org","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28364.json","name":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28364.json","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443348","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2443348","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://access.redhat.com/security/cve/CVE-2026-28364","name":"https://access.redhat.com/security/cve/CVE-2026-28364","refsource":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json","name":"https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json","refsource":"cve@mitre.org","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-28364","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28364","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"OCaml","product":"OCaml","version":"affected 4.14.3 semver","platforms":[]},{"source":"CNA","vendor":"OCaml","product":"OCaml","version":"affected 5.0.0 5.4.1 semver","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 10","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 6","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 7","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 8","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Enterprise Linux 9","version":"","platforms":[]},{"source":"ADP","vendor":"Red Hat","product":"Red Hat Hardened Images","version":"","platforms":[]}],"timeline":[{"source":"ADP","time":"2026-02-27T16:01:20.960Z","lang":"en","value":"Reported to Red Hat."},{"source":"ADP","time":"2026-02-27T03:54:53.458Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2026","cve_id":"28364","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ocaml","cpe5":"ocaml","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-28364","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-02-27T15:48:53.652379Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-02-27T15:49:06.382Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux:10"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 10","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:6"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 6","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:7"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 7","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:8"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 8","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:9"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux 9","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"unaffected","product":"Red Hat Hardened Images","vendor":"Red Hat"}],"datePublic":"2026-02-27T03:54:53.458Z","descriptions":[{"lang":"en","value":"A flaw was found in OCaml. A remote attacker could exploit a buffer over-read vulnerability during Marshal deserialization by providing specially crafted data. This issue stems from missing bounds validation in the readblock() function, which performs unbounded memory copy operations. Successful exploitation could lead to remote code execution."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.9,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-125","description":"Out-of-bounds Read","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-30T02:46:19.595Z","orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-28364"},{"name":"RHBZ#2443348","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2443348"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-28364.json"}],"timeline":[{"lang":"en","time":"2026-02-27T16:01:20.960Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-02-27T03:54:53.458Z","value":"Made public."}],"title":"ocaml: OCaml: Remote code execution via buffer over-read in Marshal deserialization","x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"}}],"cna":{"affected":[{"defaultStatus":"unaffected","packageURL":"pkg:opam/ocaml","product":"OCaml","vendor":"OCaml","versions":[{"lessThan":"4.14.3","status":"affected","version":"0","versionType":"semver"},{"lessThan":"5.4.1","status":"affected","version":"5.0.0","versionType":"semver"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*","versionEndExcluding":"4.14.3","vulnerable":true},{"criteria":"cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*","versionEndExcluding":"5.4.1","versionStartIncluding":"5.0.0","vulnerable":true}],"negate":false,"operator":"OR"}]}],"descriptions":[{"lang":"en","value":"In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"NONE","baseScore":7.9,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"CHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-126","description":"CWE-126 Buffer Over-read","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-02-27T03:58:04.453Z","orgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","shortName":"mitre"},"references":[{"url":"https://github.com/ocaml/security-advisories/blob/generated-osv/2026/OSEC-2026-01.json"},{"url":"https://osv.dev/vulnerability/OSEC-2026-01"}],"x_generator":{"engine":"CVE-Request-form 0.0.1"}}},"cveMetadata":{"assignerOrgId":"8254265b-2729-46b6-b9e3-3dfca2d5bfca","assignerShortName":"mitre","cveId":"CVE-2026-28364","datePublished":"2026-02-27T03:54:53.458Z","dateReserved":"2026-02-27T03:54:53.320Z","dateUpdated":"2026-06-30T02:46:19.595Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-02-27 04:16:03","lastModifiedDate":"2026-06-30 03:18:01","problem_types":["CWE-126","CWE-125","CWE-126 CWE-126 Buffer Over-read","CWE-125 Out-of-bounds Read"],"metrics":{"cvssMetricV31":[{"source":"cve@mitre.org","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","baseScore":7.9,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.5,"impactScore":4.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9},{"source":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N","baseScore":7.9,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.5,"impactScore":4.7}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-27T15:48:53.652379Z","id":"CVE-2026-28364","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*","versionEndExcluding":"4.14.3","matchCriteriaId":"C54A8C4D-61D8-446B-8DCA-FBF8394EE7B6"},{"vulnerable":true,"criteria":"cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*","versionStartIncluding":"5.0.0","versionEndExcluding":"5.4.1","matchCriteriaId":"296325F6-F724-4C88-9A80-6D5696A35225"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"28364","Ordinal":"1","Title":"CVE-2026-28364","CVE":"CVE-2026-28364","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"28364","Ordinal":"1","NoteData":"In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.","Type":"Description","Title":"CVE-2026-28364"}]}}}