In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables re… — CVE-2026-28364

Summary

Advisory CVE-2026-28364. In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables re… Vendor: Microsoft. Source: MSRC. Threat: high. CVSS 7.9. See the official advisory for…

What to do

General, cautious steps (verify details in the official source):

• Prioritize patching or mitigation immediately (treat as actively risky).
• Identify affected product versions in your inventory and verify whether you are impacted.
• Apply vendor patches/updates or recommended mitigations as soon as available.
• Read the official advisory for exact affected versions and remediation steps.

Official advisory

Read the official source

Related advisories

• Malformed Valkey Cluster bus message can lead to Remote DoS CVE-2026-21863
• Valkey Affected by RESP Protocol Injection via Lua error_reply CVE-2025-67733
• WordPress Oxygen theme <= 6.0.8 - Server Side Request Forgery (SSRF) vulnerability CVE-2025-69299
• btrfs: reject new transactions if the fs is fully read-only CVE-2026-23214
• bus: fsl-mc: fix use-after-free in driver_override_show() CVE-2026-23221
• crypto: iaa - Fix out-of-bounds index in find_empty_iaa_compression_mode CVE-2025-71231
• crypto: virtio - Add spinlock protection with virtqueue notification CVE-2026-23229
• drm/amd/pm: Disable MMIO access during SMU Mode 1 reset CVE-2026-23213
• drm/exynos: vidi: use ctx->lock to protect struct vidi_context member variables related to memory alloc/free CVE-2026-23227
• ksmbd: add chann_lock to protect ksmbd_chann_list xarray CVE-2026-23226
• LoongArch: Set correct protection_map[] for VM_NONE/VM_SHARED CVE-2025-71228
• md: suspend array while updating raid_disks via sysfs CVE-2025-71225