Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <a671aebf-fc45-4d06-a1dd-5ed6664aaa3c@oracle.com>
Date: Fri, 27 Feb 2026 10:38:40 -0800
From: Alan Coopersmith <alan.coopersmith@...cle.com>
To: oss-security@...ts.openwall.com
Subject: OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in
 OCaml Marshal Deserialization

https://sympa.inria.fr/sympa/arc/ocsf-ocaml-security-announcements/2026-02/msg00000.html 
announces:
> From: Hannes Mehnert <hannes@...nert.org>
> To: ocsf-ocaml-security-announcements@...ia.fr
> Subject: [ocsf-ocaml-security-announcements] OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization
> Date: Tue, 17 Feb 2026 15:16:54 +0100
> 
> Dear everyone,
> 
> it is my pleasure to announce the first security announcement of this year,
> and the first on this mailing list.
> 
> It should any moment now also appear at https://osv.dev/list?q=OSEC-2026-01
> 
> Human link: https://github.com/ocaml/security-advisories/tree/main/advisories/2026/OSEC-2026-01.md
> 
> 
> ```
> id: OSEC-2026-01
> modified: "2026-02-17T13:30:00Z"
> published: "2026-01-24T13:30:00Z"
> aliases: [ GHSA-j26j-m5xr-g23c GHSA-m34r-cgq7-jhfm ]
> severity: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"
> severity_score: "6.8"
> affected: "ocaml" {< "4.14.3" | (>= "5" & < "5.4.1")}
> events: [
> [
> git "https://github.com/ocaml/ocaml"; [
> [fixed "b0a2614684a52acded784ec213f14ddfe085d146"]
> ]
> ]
> [
> git "https://github.com/ocaml/ocaml"; [
> [fixed "e3919fef436f89271bc30bbe8592851f7289fb68"]
> ]
> ]
> ]
> references: [
> [report "https://github.com/ocaml/security-advisories/security/advisories/GHSA-j26j-m5xr-g23c";]
> ]
> credits: [
> [reporter "Justin Timperio"]
> [remediation_developer "Nicolás Ojeda Bär"]
> [remediation_developer "Xavier Leroy"]
> [remediation_developer "Gabriel Scherer"]
> [remediation_reviewer "Xavier Leroy"]
> [remediation_reviewer "Olivier Nicole"]
> [remediation_verifier "Mindy Preston"]
> [remediation_verifier "Edwin Török"]
> [coordinator "Hannes Mehnert"]
> ]
> cwe: [ CWE-126 CWE-502 CWE-754 ]
> ```
> 
> # Buffer Over-Read in OCaml Marshal Deserialization
> 
> ## Summary
> 
> A critical buffer over-read vulnerability in OCaml's Marshal deserialization
> (runtime/intern.c) enables remote code execution through a multi-phase attack
> chain. The vulnerability stems from missing bounds validation in the
> readblock() function, which performs unbounded memcpy() operations using
> attacker-controlled lengths from malicious Marshal data.
> 
> Please note that Marshal is not type safe, and you have to be careful if you
> use the deserialization on untrusted input (due to type confusion, and remote
> code execution by design - you can use Marshal for code).
> 
> Affected functions: `Marshal.from_channel`, `Marshal.from_bytes`,
> `Marshal.from_string`, `Stdlib.input_value`, `Pervasives.input_value`
> when reading data from an untrusted source.
> 
> ## Vulnerability Attack Vector
> 
> Corrupted or malicious marshaled data that causes undefined behaviour in the
> runtime system when unmarshaled.
> `input_value` should either fail cleanly or produce a well-formed OCaml object,
> without corrupting the runtime system.
> 
> Consequently, this excludes:
> 
> * well-formed marshaled data that produces an OCaml object that is not of the
>   type expected by the OCaml code and causes the Ocaml code to crash or misbehave
> 
> * misuses of the OCaml runtime system by the program performing input_value,
>   such as setting `Debugger.function_placeholder` to the wrong function.
> 
> The former issue may be addressed at some point by validating the unmarshaled
> OCaml value against the expected type, using the functions from module `Obj`
> and some kind of run-time type description.
> 
> The latter issue is a bug in the program that unmarshals the data.
> 
> ## Fix
> 
> ### OCaml runtime
> 
> The OCaml runtime has been hardened with additional bounds checks. An exception
> is raised on bad input.
> 
> ### Third party libraries
> 
> Third party libraries that want to harden their custom Marshal deserialization
> code can follow the example fix for bigarrays from the standard library.
> There are new macros in `custom.h` called `Wsize_custom_data` and
> `Bsize_custom_data` that return the size in words or bytes of the allocated
> custom destination block. The deserializer needs to ensure it only writes data
> within those bounds.
> 
> This only needs to be done if the library defines a custom type in a C binding,
> and `struct custom_operations`'s `deserialize` field is not set to `NULL` or
> `custom_deserialize_default`, and `struct custom_operations`'s `fixed_length`
> field is set to `NULL` or `custom_fixed_length_default`
> 
> Since `Marshal.from*` and `input_value` remain unsafe to use, the fix for the
> OCaml runtime is released, and we wouldn't attempt to coordinate updating all
> deserialization functions in the ecosystem.
> 
> ## Timeline
> 
> - Nov 4th 2025: Discovery Date: Discovered first in OxCaml
> - Nov 5th 2025: First Disclosure Date (Jane Street Team): Emailed top
>   maintainers, no response.
> - Nov 9th 2025: Second Disclosure Date (OCaml Team): Submitted to OCaml/ocaml
>   GitHub Repo as a Security Advisory.
> - Nov 11th 2025: Emailed OCaml Security Mail List: Submitted to OCaml over
>   email, responded asking for details.
> - Nov 11th 2025: Third Disclosure (OCaml Security Response Team): Submitted
>   to ocaml/security-advisories GitHub Repo as a Security Advisory.
> - Dec 16th 2025: Initial patch is developed
> - Dec 17th 2025: Fuzz testing found further issues
> - Dec 24th 2025: Final patch for OCaml is developed
> - Dec 25th 2025: Fuzz testing couldn't find any further issues
> - Jan 2nd 2026: Patch got reviewed by OCaml maintainers
> - Jan 4th 2026: Benchmarking of the patch with good results
> - Jan 6th 2026: Reporter got contacted to confirm
> - Jan 25th 2026: Further related issues discovered by fuzzing
> - Feb 17th 2026: fixed OCaml releases are published, security advisory is
>   published

A followup note in
https://sympa.inria.fr/sympa/arc/ocsf-ocaml-security-announcements/2026-02/msg00001.html
notes that the "published" date in the JSON was incorrect and should be
2026-02-17.

-- 
         -Alan Coopersmith-                 alan.coopersmith@...cle.com
          Oracle Solaris Engineering - https://blogs.oracle.com/solaris

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.