An update for ocaml is now available for openEuler-24.03-LTS-SP2 Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2026-1525 Final 1.0 1.0 2026-03-06 Initial 2026-03-06 2026-03-06 openEuler SA Tool V1.0 2026-03-06 ocaml security update An update for ocaml is now available for openEuler-24.03-LTS-SP2 OCaml is a high-level, strongly-typed, functional and object-oriented programming language from the ML family of languages. This package includes runtime environment, X11 support ,Documentation generator and emacs. Security Fix(es): In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data.(CVE-2026-28364) An update for ocaml is now available for master/openEuler-20.03-LTS-SP4/openEuler-22.03-LTS-SP4/openEuler-24.03-LTS/openEuler-24.03-LTS-Next/openEuler-24.03-LTS-SP1/openEuler-24.03-LTS-SP2/openEuler-24.03-LTS-SP3. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High ocaml https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1525 https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2026-28364 https://nvd.nist.gov/vuln/detail/CVE-2026-28364 openEuler-24.03-LTS-SP2 ocaml-4.14.1-6.oe2403sp2.aarch64.rpm ocaml-debuginfo-4.14.1-6.oe2403sp2.aarch64.rpm ocaml-debugsource-4.14.1-6.oe2403sp2.aarch64.rpm ocaml-devel-4.14.1-6.oe2403sp2.aarch64.rpm ocaml-help-4.14.1-6.oe2403sp2.aarch64.rpm ocaml-4.14.1-6.oe2403sp2.src.rpm ocaml-4.14.1-6.oe2403sp2.x86_64.rpm ocaml-debuginfo-4.14.1-6.oe2403sp2.x86_64.rpm ocaml-debugsource-4.14.1-6.oe2403sp2.x86_64.rpm ocaml-devel-4.14.1-6.oe2403sp2.x86_64.rpm ocaml-help-4.14.1-6.oe2403sp2.x86_64.rpm In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data. 2026-03-06 CVE-2026-28364 openEuler-24.03-LTS-SP2 High 7.9 AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N ocaml security update 2026-03-06 https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2026-1525