Skip to main content

Ocaml CVE-2026-34353

| EUVDEUVD-2026-16555 MEDIUM
Integer Overflow or Wraparound (CWE-190)
2026-03-27 mitre
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
SUSE
MEDIUM
qualitative
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 05:30 euvd
EUVD-2026-16555
Analysis Generated
Mar 27, 2026 - 05:30 vuln.today
CVE Published
Mar 27, 2026 - 04:55 nvd
MEDIUM 5.9

DescriptionCVE.org

In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed.

AnalysisAI

OCaml's Bigarray.reshape function contains an integer overflow vulnerability that permits unauthenticated local attackers to read arbitrary memory contents when processing untrusted input. Affected versions through 4.14.3 allow an attacker with local access to trigger the overflow condition, bypassing memory protections and potentially exposing sensitive data including cryptographic keys or process memory. No public exploit code or active exploitation has been confirmed at time of analysis.

Technical ContextAI

The vulnerability exists in OCaml's Bigarray module, a component providing multi-dimensional array operations. The reshape function performs dimension calculation without proper bounds checking, allowing integer overflow during size computations. This is a classic CWE-190 (Integer Overflow or Wraparound) vulnerability where the calculated reshaped array size overflows, resulting in undersized memory allocation. When subsequent operations read from the Bigarray using the legitimate but overflowed dimension values, memory access extends beyond the allocated buffer into adjacent heap or process memory. The affected product is identified via CPE as cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:* covering all OCaml versions up to and including 4.14.3.

RemediationAI

Upgrade to a patched OCaml release beyond 4.14.3 once available from the official OCaml project. The upstream fix has been addressed in pull request #14674 on GitHub (https://github.com/ocaml/ocaml/pull/14674); however, the exact released version number containing this fix is not independently confirmed in available data. Monitor the OCaml project releases page and security advisories for the first tagged release incorporating this patch. Until patching is possible, restrict Bigarray.reshape operations on untrusted input by validating dimension parameters, implementing input sanitization to ensure reshape dimensions cannot trigger integer overflow conditions, and limiting the scope of untrusted data processed through Bigarray operations in multi-tenant or high-security contexts.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Development Tools 15 SP7 Fixed
SUSE Linux Enterprise Server 15 SP7 Fixed
SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed

Share

CVE-2026-34353 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy