CVE-2026-3381 — Vulnetix

Try Vulnetix Request Demo

CVE-2026-3381 PUBLISHED CVSS 7.900000095367432 HIGH

In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.

EPSS 0.03% · 9.3th percentile

Risk Scores

CVSS v3.1

7.900000095367432

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Score

0.03%

9.3th percentile

Affected Products

Vendor	Product	Versions
OCaml	OCaml	0, 5.0.0, 5.0.0
ocaml	ocaml	0, 5.0.0, 0

Timeline

Feb 27, 2026 PoC Published
Feb 27, 2026 PoC Published
Feb 27, 2026 PoC Published
Feb 28, 2026 CVE ID Reserved
Mar 5, 2026 EPSS Score
Mar 5, 2026 CVE Published
Mar 6, 2026 EPSS Score
Mar 7, 2026 EPSS Score
Mar 7, 2026 PoC Published
Mar 8, 2026 EPSS Score
Mar 9, 2026 EPSS Score
Mar 10, 2026 EPSS Score

References

Open in Interactive Console →