From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Authentication-Results: plum.tunbury.org; dkim=pass (1024-bit key; unprotected) header.d=inria.fr header.i=@inria.fr header.a=rsa-sha256 header.s=dc header.b=bwW8yuTE; dkim-atps=neutral Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=192.134.164.83; helo=mail2-relais-roc.national.inria.fr; envelope-from=caml-list-owner@inria.fr; receiver=tunbury.org Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by plum.tunbury.org (Postfix) with ESMTP id E19E6400A2 for ; Tue, 17 Feb 2026 14:26:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=message-id:date:mime-version:from:to: content-transfer-encoding:subject:reply-to:sender:list-id: list-help:list-subscribe:list-unsubscribe:list-post: list-owner:list-archive; bh=tke74tFE5WoCq7uAyM4vLWLICoyZN/9FR+5TCxxDhpU=; b=bwW8yuTEmawSbbuXHb1q7p8YEPFCUY2XtpUJpqvwrkw5C6IfVUMiytgp j0k7/E5O/Oe7g+Y9NZGoWdapUcaPv6ktaWjtusMiyX/lnYfGBSJOUQGmT Hj7HFnAdMEHctE+MzWNN8p+sSMCGT13F9eC8lzetmHNDfIVDwU6J66KNg c=; X-CSE-ConnectionGUID: G6QUK+pIQ9elKQdKIoWd6g== X-CSE-MsgGUID: 9F6vm7gWRw+h4HatZPsvJg== Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=caml-list-owner@inria.fr; spf=None smtp.helo=postmaster@prod-sympa-app.inria.fr Received-SPF: SoftFail (mail2-relais-roc.national.inria.fr: domain of caml-list-owner@inria.fr is inclined to not designate 128.93.162.27 as permitted sender) identity=mailfrom; client-ip=128.93.162.27; receiver=mail2-relais-roc.national.inria.fr; envelope-from="caml-list-owner@inria.fr"; x-sender="caml-list-owner@inria.fr"; x-conformance=spf_only; x-record-type="v=spf1"; x-record-text="v=spf1 include:mailout.safebrands.com a:basic-mail.safebrands.com a:basic-mail01.safebrands.com a:basic-mail02.safebrands.com ip4:128.93.142.0/24 ip4:192.134.164.0/24 ip4:128.93.162.160 ip4:128.93.162.3 ip4:128.93.162.88 ip4:89.107.174.7 mx ~all" Received-SPF: None (mail2-relais-roc.national.inria.fr: no sender authenticity information available from domain of postmaster@prod-sympa-app.inria.fr) identity=helo; client-ip=128.93.162.27; receiver=mail2-relais-roc.national.inria.fr; envelope-from="caml-list-owner@inria.fr"; x-sender="postmaster@prod-sympa-app.inria.fr"; x-conformance=spf_only X-IronPort-AV: E=Sophos;i="6.21,296,1763420400"; d="scan'208";a="263876456" Received: from prod-sympa-app.inria.fr ([128.93.162.27]) by mail2-relais-roc.national.inria.fr with ESMTP; 17 Feb 2026 15:26:23 +0100 Received: by prod-sympa-app.inria.fr (Postfix, from userid 990) id 87D6282CF3; Tue, 17 Feb 2026 15:26:23 +0100 (CET) Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by prod-sympa-app.inria.fr (Postfix) with ESMTP id 9BDD082CE8 for ; Tue, 17 Feb 2026 15:26:12 +0100 (CET) X-CSE-ConnectionGUID: 1t35rGnLS1OlVU0sE4FOrg== X-CSE-MsgGUID: QDt1DTaiRyGuejWBOY/KHg== IronPort-SDR: 69947a7c_Pay3YWdM/0fvoPUCaEQ4VPnf3yuF2rAs/kQJSRwrVXZ0QcG HGoNb0O6+Pjh9zZHtcB5bU+TlNJh3yvetXqXIMw== X-ThreatScanner-Verdict: Negative X-IPAS-Result: =?us-ascii?q?A0HZDQBLepRp/8hZSdVagQmBUIJBB4EABlkzBAtJA4QZP?= =?us-ascii?q?I9TgiGEPplzgWsPAQMBDUQNBAEBAwECAZIiAh4HAQQzBg4BAgQBAQEBAwIDA?= =?us-ascii?q?QEBAQEBAQEBDQEBBQEBAQIBAQIEBgECgQoThk8BDIJbO3GBJQEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQINgRAXDwEFCAEBL?= =?us-ascii?q?AwYFgYCCB4CXhUBAYJ+AYIiAk8HDQaPdZxIgTKBAYIMAQEGgVQCQ1DZQYFnA?= =?us-ascii?q?wYVgQouhW+CZQGFdDiCD4JaGz+BToEVJ4NBgQWBXAKBJgUBEQIBg3uCaYImg?= =?us-ascii?q?Q6BYZF7gUocA1ksAVUTFwsHBV6BCAMqLy1uMh2BIz4XM1gbBwWHcw+JBYFmg?= =?us-ascii?q?R+BBAIBC209NwkLGwQ9jyxBgUBTUS8UIhQQIAINIQhHMhcsGBMSkwBSswuEJ?= =?us-ascii?q?oFkijqVPwYTL4FLgjmNE4ZJBjOSUpkGIoo7SYJjlXOFRYF+J2lwMxoIKAg7g?= =?us-ascii?q?mdPAxkPjioOCxyDQoE+g1W6Q0I1Di4CBwEKAQEDCZFsLQWBSwEB?= IronPort-PHdr: A9a23:WwMV9hF/mxlWVryvH12pbp1Gf9pGhN3EVzX9CrIZgr5DOp6u447ld BSGo6k20BmRBc6BsqMV2qL/iOPJZy8p2d65qncMcZhBBVcuqP49uEgNJvDAImDAaMDQUiohA c5ZX0Vk9XzoeWJcGcL5ekGA6ibqtW1aFRrwLxd6KfroEYDOkcu3y/qy+5rOaAlUmTaxe7x/I Ru5oAnLqsUanYRuJrgsxhbNpnZFf/ldyH91K16Ugxvz6cC88YJ5/S9Nofwh7clAUav7f6Q8U 7NVCSktPn426sP2qxTNVBOD6HQEXGoZixZFHQfL4gziUpj+riX1uOx92DKHPcLtVrA7RS6i7 6ZwRxD2jioMKiM0/3vWisx0i6JbvQ6hqhliyIPafI2ZKPxzdb7bcNgHR2ROQ9xRWjRCDI2yY IQAAeoPM/tGoYbhqFUDtge+CAq2Ce/z1jNEmH370Ksn2OohCwHG2wkgEsoMvnvOqtX1MrkdU fuox6fP0zrDb/VW1inn6IjUbxsspvGMUqh2ccrX10YvDBjIjlCOpozlOTOayP4Ns3SB4+pnT +KvhHcqpgdsqTeg2skikJPGhp4Jyl/a7yV5xp44KMO7RUB7f9KpDJteui+EOoZrXM4vTGNlt Tg6xLEYtpO2cycHxZU6yxPQdfCJfZSF7g/sWeuPPzt0mnBodKyhixu07EOuxOr8Vsyu31ZLq CpIit7MuWwX2BzW7siLUPx9/l2u2TqX1gDT7PtEIUEumqbBJZ4h2KY8lp0IsUTdBCP5hVv5j LGOekUr++io9+TnYqj9qZOGK4B0jQT+PrwpmsykH+s3LhECU3aH9eii1bDv5FH1TKhQgv0zj 6bUto3RK8cDpqOhHQNZz4gu5wy9AjqoytgVnn0KIEhbdB6bk4TlI1XDLO7iAfuinlihkS1ny +3CM7H/GJnALnfOnbH8drhn8UFc0hA8zdVH6pJUFL4BJPXzV1f0tNPCDx85Nxa4w+P5B9V90 IMRR3iPArODPKPVq1+I6fojI+iKZIALpDbwM+Yp6+PggHMjm1IQc7Ol0JgTZXyiAPhqP1mVb WLpgtgbEGcKugQ+TPbtiF2HSTNTZ2y9X6Q65j4lE4KrFoLDSZ6tgLyHwii7BIFWanpBClCWH nfkb5+EVOsUaCKOPs9hlSQJWqS7RI8k0RGirQv6y7t8LurI4SAYrpLi1N1t5+LJjx0y9Dp0D 96c026XVW10kHkISycw3K9kuUN90EuM0bBkg/xEEtxe/+5FXh81NZHCyOx0CMr8VxrPcNmGU FqmWMupAS8yQNwr29IOZlxyG9SmjhzZ2iqlHb8Vl7qVC5wu7qLQxX/xJ9xyy3reyaYhjFgmQ s5XOGO+iaBw+RbdCZLVnkufj6qlaKEc0zTX9Gif1WeApFhWXhZ/X6ndRnAffkXWoMzj6E7eU rGgFKwrMhBZyc6MMqRKasPmjVFBRPr7INrQenq/lWjjTSqPk/mHZY/uPmEcxzn1CU4ekglV8 2zMfVw1DyKl5mbfFyBGFFT1Ykqq//Mo+12hSUph7wiMaUB6n5+4+hgYn+DUH/Ma2LQJow8kp jVyEUyhmdXMBIzT9EJaYKxAbIZlsx983mXDulklVnTBB6Vrh1pENh9yo1urzRJ8TINJjcktq nouigt0M6ORll1bJHuDxZ6lHLrRJyHp+Qy3LbbM0wTe2dCQ97wn7fk4rVj5oEeuDEVxu25/3 Yxt2mCHro7PEBJUVJvwVkgt8B0vp7jcZCQmz4bZ1XthK7XytSXNiJoyHOVw7BGmcp9ENb+cU g//F8pPH8+1NOkjgESkdDoBNeFWsqs5P8WrbefA37SkVAp5tBShi2kPoIV000bWsjF5VvaNx ZEOhfeRwgqAUT74ylanqMH+345eN3kUGSKkxC7oCZQ0BOU6dJsXCWqoP8y8x8lvz5/rVXlC8 Ve/BlQAkMa3cBuWZlb50EVez0MS6XCgnCK5yXRznVRL5uKf1SrIzv/KcRcHPGNRWC9ll1ita Ym4gtYGXVS5OhAznUjt7kL7yq5H4aVnejOKGgEXJG6mfic4CvPj09jKK9RC454pryhNBeG1Y FTAD6X4vwNfySToWW1X2DE8cTiu/JT/hR1zzmyHfxMR5DLUf999wRDH6ZnSX/lUi3AGTS9+h CL/A1W8OdSz4ZOTjZiJ4YXcHyqxE4ZedyXm19bKtCK942BxKRiyn/a+gMGhFhI1m3yzx5xhU iPGqwz5a4/g2vGhMO5pSUJvAUf198twHowWfpIYvJgLwjBag5yU+SBCimLvKZBB3qm4anMRR DkNytqT4Q7/2UQlIGjbj47+U3ycxINmabzYKisW0yQ74ttiDaqU6rFegW1yuFXwoQ/KYPd7l ysQ0rN0sSVc3LpP6FtrlH3FSrkJVVFVJyntiwiF47Xc5O1MaWCjfKLxnEtykNa9Da2T9wRVW XL3YJAnTmd76sRyNk6J0WWmsNi/PoaLK4JC8EfMy0Sl7aAdMp86m/sUiDAyPGv8uSdg0Osnl Vl02pr8uoGbKmJr9ab/AxhCNzSzadlAn1OlxatYgMuS2JiiW5t7HTBeFpvhS/SlCxoXuPThO hySVjompT3IfNiXVR/a80pgo3/VRtqrPneRKWIxyNhiQhSHOApYmg9eD30q25U+EA6t3snod kx0sysQ6lDPoRxJ0ut0NhP7XzS6xk/genIuRZOYNhYT8hBa6hKfL5mF9uwqVXIQ7ti7oQeKM GDeewlYETRDRBmfH166dry+gLuIu+HKA+O/K73OOqzIoutbH7KBwZblumd/1xCLMMjHfnxrD vlhn1FGQWg8AcPS3TMGVy0QkSvJKc+dvha1vCNt/Ii597zwVQTj6JHqafMaOMhz+x2wnaaIN vKBzCd/JzFC05oQxHjOgLEB1V8WgitqenGjC7MF/SLKSavRnOdQAXt5I2trM9BU6qsnwgRXE cvSi9ez07N4iPMvFxFCT1Og0sClaMoWIn2sYVPKAEHYUdbObTbPwszxfea9UegK1b4S6Eb26 WfdSRe7bVHh33HzWhuiMP9BlnSeNR1a4sSmdwp1THLkR5TgYwG6N9l+iXs3x6c1jzXELz15U 3A0fkVTo7mX9S4djO94HjkL7nNjK+SfsyOU7+/VMIpQtuFkSHcR9aoS8DEhxr1Z4TsRDuRyg zfXp8VyrkuOl+COznxiXRpIpyxXwoWRsg8xXMeRvokFUnHC8hUX6GyWABlfvNppBOrkvKVIw 8TOnqb+QN+t29fZ/c0RHdSSL9iIYiNJ2fvBHTfVCE0AQD6tOHvDwUtHn6PKnpVwhp03qp7hg oZITaVUBgRdKw== IronPort-Data: A9a23:aFdnB6LFkQTiwzYJFE+RvJElxSXFcZb7ZxGr2PjKsXjdYENS3jQPz mFOUWiDPvqIM2P3fo1wbo7j9E0A6MCGz9JrTQAd+CA2RRqmi+KVXIXDdh+Y0wC6d5CYEho/t 63yTvGacajYm1eF/k/F3oDJ9CQ6iOfRAOKhVYYoAwgpLSd8UiAtlBl/rOAwh49skLCRDhiE0 T/Ii5S31GSNhXguawr414rZ8Ekx5K6r52tB1rADTakjUGH2xyF94K03fvnZw0vQGuF8AuO8T uDf+7C1lkux1wstEN6sjoHgeUQMRLPIVSDW4paBc/XKbrBq/0Te445jXBYuQR8/Zwahw7id/ O5wWamYEm/FCEFjdNM1CHG0GwkmVUFPFSSuzXKX6aR/xGWeG5fgLmkH4Ojb8uT0984uaVyi+ 8D0JxhUckvenc2w5Inibe1Su5w4AZXFG5kQ7yQIITHxVZ7KQLjGSqTOo9pV3DE9nNwIGuzRD yYbQWA2N1KfOFsfaxFNUMpWcOSA3hETdxVYoVSTqLEf5mXTygFrzP7qKtW9ltmiH5sOzhnG/ Tiel4j/Kig2KIWz9TOEyGODm+LNogncacUxNLLto5aGh3XImjNIUkRJPbehmtGyg0u6HtZeM FA84TsrtaF09UqxT9C7UQfQnZKflhsVWt4WFuA67gyX1uzT+Qnx6nU4oiBpMcB96dUZQxgRj 3iNoe6xHhEznpqPRifInluLlg9eLxT5OkcuSEc5oeYt5tDipMc2gxLJQ8x/VqmvgbUZ+A0cI RjW9kDSZJ1K3abnMplXGnid3lqRSmDhFFJd2+kudjvNA8MQTNfNi3aUBafnAQZod9rGFQPY4 xDoauCF6ukAENmCmTeAROEWF7Gg6erNPiDRmxZuGYUs7T2u53+9cMhW7S1sO0pzMctMfDXpC HLuVMI4zME7AUZGmoctM9vuWpV7lfG5fTknP9iNBudzjlFKXFfv1ElTiYS4hjqFfJEEwP5na 6SIO92hF2gbAqlBxT+7DbVVm7wyyyx0gSuZSZnnxl71mfCTdVyEe4cjaVGuV+Ee6L/bgQP39 90ECdCG5S8CW8LDYw7W07UpE3Y0EVYBC6rL9vNnLty4HlI+GUUKKePg/rc6Sok0w4VXjrjp+ 1++aG95yX3+p2H1FgWXWEBBMJfqDIdNvFMgHCkWJV3z8WMSUYWuy6Y+dpUMYrgs8tJ4/8N0V /Uof8ahAOxFbzb6pwQmcpj2qbJ9eCSRhQ6hOzSvZB49dcVCQzPl18DFfAy10gUzFQuy6NUDp oO/2jPhQZYsQxpoCODUYqmNy3KzpX0sp/JgbXDXI9V8eFTez6YyEnbf1sQIGsArLQnP4hC41 AzMWBcRmrTrkr8PqdLMgfiJkpetH+5ABXFlJmj874utFCzk72GmkJ5hUuGJQGjnb1nK2p6eP Mdb8/KtF8c8vgduk5F9GLNV364B94PRh7tF/D9FQlTPTXqWU41FHFfX/PNyppVsx6BYszSYQ kig2MdXEpTXNdLHEGw+HhsEbOOC3846gjP5sOgHH0Xn1h9VpJ6CAFRgLjiXqSlnNLAuGpgU8 eQgn8836gKElRshNOidvB1U72ihKn8hUb0tk4MzWavHq1MM5AlZQJr+DiTW3sm+W+9UOBN3H g7O1bvwubtM42HjLVwxLCHp9shAj80svBtq8gczF26RkICYus5tjQxjyhVpfAF71R4d7vlSP FJsPEhLJamj2TdkqcxAfmK0ETF6Gxyr1R3t+mQNiVHmYRGkZk7VIE05HNS9zkQT3mZfXzpcp ZWz6mLuVxT0d8DQgAo2f2NYqMLYcN8gzT2axfibHPmEEaIqPhvjoKulPlQTpzXdXMgeuUzgp MtRxthWV5HVDyArjpcAO9Go7ohIEBGgD05ecM5l55IMTD39eint+D2gKHKRW8JqJt7Ww3C4F v5eBJprUkWv5jevtREeP7YHeJVvrc4q5f0DW7LlHnEHuL2htQhUsIrc2yz9pW0zSfBsrJoNE ZzQfDe8DWCgv3tYtGvTps1iOGDjQ907SCDj/eKyqsMlKokitbxyTEQMzbeEhXWZHw959Rayv gmYRav3zfRn+Lt8jbnXDaRPKAWlG+zdDN3S3liIjO1PStfTPePllQAf8ADnNjsLG4ohYY18k LDVvePn2E/Agq0NbFnYvJu8DIhM29S5WbtGE8DwLUQCpxC4Zu3X30Ih9Vy7eLtzq/EM1vn/E kH8IIG1eMUOUthQ+GxNZmIMW1wBAqDwdeH7qTn7s/2IDQMH3BfaKM+8s0XkdnxfajRCLqiW5 tUYYBpyzoswQEVw6B446zVOBpZ5JBnmVKsgesft8z6CAQFER79EVqTKzXIdBfPjUxFo0/oWJ brASxj4eQ6u/qbSw7m1dqRs6wYPAi8VbfYYJyogFh0ft9x+JGsLLeIQK4lADYtb+sA3OFcUe xmVBFYf5e7BsfiovPkyDBkPnutSOwDWBurEGw== IronPort-HdrOrdr: A9a23:Py/lJ6DVoO8Vzl/lHem755DYdb4zR+YMi2TDpHoBKyC9Ffbo8/ xG/c5rsCMc7Qx6ZJhOo7y90cW7IE80lqQb3WByB9qftWDd0QPCEGgI1+vfKlPbak7DH6Jmu5 tdTw== X-Talos-CUID: =?us-ascii?q?9a23=3AKVhkrWr400S3YqkpwhA8Od3mUZk5KSDH43H0GBa?= =?us-ascii?q?fDVhUEKa4FXG34qwxxg=3D=3D?= X-Talos-MUID: 9a23:tg5kkQTXVE2DYIZrRXTVqC07GPth4p6/J10Ak6osnPjDFgx/bmI= X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,296,1763420400"; d="scan'208";a="263876320" X-MGA-submission: =?us-ascii?q?MDE+q0sDShH/0PSOMa8E33pcybmYxx/NCG3Y1U?= =?us-ascii?q?Uh7CGw2SZNFe+r1o5sJvmoOodnQL6PLntWY3MZQVuERLeq9vyS/xYrja?= =?us-ascii?q?l3P5ccpPlNQPdARNslW4hhHstVpLqyJu59cRIiUN73W4uKAv7XetjhLS?= =?us-ascii?q?J2cZRIHJmwKxF60TT5w2P0nA=3D=3D?= Received: from mail.mehnert.org ([213.73.89.200]) by mail2-smtp-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 17 Feb 2026 15:26:03 +0100 Received: from [192.168.42.80] (i5C74C036.versanet.de [92.116.192.54]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "hannes@mehnert.org", Issuer "mehnert root CA" (not verified)) by mail.mehnert.org (Postfix) with ESMTPS id 9111D65B6 for ; Tue, 17 Feb 2026 15:26:02 +0100 (CET) Message-ID: <82a75ba9-e897-49a1-ae9d-3bdf9cafd2fd@mehnert.org> Date: Tue, 17 Feb 2026 15:26:02 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird From: Hannes Mehnert To: "caml-list@inria.fr" Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: [Caml-list] OSEC-2026-01 in the OCaml runtime: Buffer Over-Read in OCaml Marshal Deserialization Reply-To: Hannes Mehnert X-Loop: caml-list@inria.fr X-Sequence: 19449 Errors-To: caml-list-owner@inria.fr Precedence: list Precedence: bulk Sender: caml-list-request@inria.fr X-no-archive: yes List-Id: List-Help: , List-Subscribe: , List-Unsubscribe: , List-Post: List-Owner: List-Archive: Archived-At: Dear everyone, it is my pleasure to announce the first security announcement of this year, and the first coordinated by the new OCaml security response team (https://ocaml.org/security). Please subscribe to the OCaml security announcement mailing list (https://sympa.inria.fr/sympa/info/ocsf-ocaml-security-announcements) to receive all security advisories. To this mailing list I'll only copy those affecting the core of OCaml distribution. It should any moment now also appear at https://osv.dev/list?q=OSEC-2026-01 Human link: https://github.com/ocaml/security-advisories/tree/main/advisories/2026/OSEC-2026-01.md ``` id: OSEC-2026-01 modified: "2026-02-17T13:30:00Z" published: "2026-01-24T13:30:00Z" aliases: [ GHSA-j26j-m5xr-g23c GHSA-m34r-cgq7-jhfm ] severity: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" severity_score: "6.8" affected: "ocaml" {< "4.14.3" | (>= "5" & < "5.4.1")} events: [ [ git "https://github.com/ocaml/ocaml" [ [fixed "b0a2614684a52acded784ec213f14ddfe085d146"] ] ] [ git "https://github.com/ocaml/ocaml" [ [fixed "e3919fef436f89271bc30bbe8592851f7289fb68"] ] ] ] references: [ [report "https://github.com/ocaml/security-advisories/security/advisories/GHSA-j26j-m5xr-g23c"] ] credits: [ [reporter "Justin Timperio"] [remediation_developer "Nicolás Ojeda Bär"] [remediation_developer "Xavier Leroy"] [remediation_developer "Gabriel Scherer"] [remediation_reviewer "Xavier Leroy"] [remediation_reviewer "Olivier Nicole"] [remediation_verifier "Mindy Preston"] [remediation_verifier "Edwin Török"] [coordinator "Hannes Mehnert"] ] cwe: [ CWE-126 CWE-502 CWE-754 ] ``` # Buffer Over-Read in OCaml Marshal Deserialization ## Summary A critical buffer over-read vulnerability in OCaml's Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from malicious Marshal data. Please note that Marshal is not type safe, and you have to be careful if you use the deserialization on untrusted input (due to type confusion, and remote code execution by design - you can use Marshal for code). Affected functions: `Marshal.from_channel`, `Marshal.from_bytes`, `Marshal.from_string`, `Stdlib.input_value`, `Pervasives.input_value` when reading data from an untrusted source. ## Vulnerability Attack Vector Corrupted or malicious marshaled data that causes undefined behaviour in the runtime system when unmarshaled. `input_value` should either fail cleanly or produce a well-formed OCaml object, without corrupting the runtime system. Consequently, this excludes: * well-formed marshaled data that produces an OCaml object that is not of the type expected by the OCaml code and causes the Ocaml code to crash or misbehave * misuses of the OCaml runtime system by the program performing input_value, such as setting `Debugger.function_placeholder` to the wrong function. The former issue may be addressed at some point by validating the unmarshaled OCaml value against the expected type, using the functions from module `Obj` and some kind of run-time type description. The latter issue is a bug in the program that unmarshals the data. ## Fix ### OCaml runtime The OCaml runtime has been hardened with additional bounds checks. An exception is raised on bad input. ### Third party libraries Third party libraries that want to harden their custom Marshal deserialization code can follow the example fix for bigarrays from the standard library. There are new macros in `custom.h` called `Wsize_custom_data` and `Bsize_custom_data` that return the size in words or bytes of the allocated custom destination block. The deserializer needs to ensure it only writes data within those bounds. This only needs to be done if the library defines a custom type in a C binding, and `struct custom_operations`'s `deserialize` field is not set to `NULL` or `custom_deserialize_default`, and `struct custom_operations`'s `fixed_length` field is set to `NULL` or `custom_fixed_length_default` Since `Marshal.from*` and `input_value` remain unsafe to use, the fix for the OCaml runtime is released, and we wouldn't attempt to coordinate updating all deserialization functions in the ecosystem. ## Timeline - Nov 4th 2025: Discovery Date: Discovered first in OxCaml - Nov 5th 2025: First Disclosure Date (Jane Street Team): Emailed top maintainers, no response. - Nov 9th 2025: Second Disclosure Date (OCaml Team): Submitted to OCaml/ocaml GitHub Repo as a Security Advisory. - Nov 11th 2025: Emailed OCaml Security Mail List: Submitted to OCaml over email, responded asking for details. - Nov 11th 2025: Third Disclosure (OCaml Security Response Team): Submitted to ocaml/security-advisories GitHub Repo as a Security Advisory. - Dec 16th 2025: Initial patch is developed - Dec 17th 2025: Fuzz testing found further issues - Dec 24th 2025: Final patch for OCaml is developed - Dec 25th 2025: Fuzz testing couldn't find any further issues - Jan 2nd 2026: Patch got reviewed by OCaml maintainers - Jan 4th 2026: Benchmarking of the patch with good results - Jan 6th 2026: Reporter got contacted to confirm - Jan 25th 2026: Further related issues discovered by fuzzing - Feb 17th 2026: fixed OCaml releases are published, security advisory is published