VYPR

Ocaml

by Ocaml

Source repositories

CVEs (10)

  • CVE-2018-9838CriApr 6, 2018
    risk 0.64cvss 9.8epss 0.04

    The caml_ba_deserialize function in byterun/bigarray.c in the standard library in OCaml 4.06.0 has an integer overflow which, in situations where marshalled data is accepted from an untrusted source, allows remote attackers to cause a denial of service (memory corruption) or…

  • CVE-2017-9772CriJun 23, 2017
    risk 0.64cvss 9.8epss 0.04

    Insufficient sanitisation in the OCaml compiler versions 4.04.0 and 4.04.1 allows external code to be executed with raised privilege in binaries marked as setuid, by setting the CAML_CPLUGINS, CAML_NATIVE_CPLUGINS, or CAML_BYTE_CPLUGINS environment variable.

  • CVE-2026-45390CriJun 15, 2026
    risk 0.59cvss 9.1epss 0.00

    In OCaml-tar before 3.4.0, a crafted archive with ../ path segments in its name allows escaping the current working directory. This is not desired behavior, and tar(1) rejects such extractions, but ocaml-tar decompresses it anyway. The impact is that it allows arbitrary file…

  • CVE-2026-45389CriJun 15, 2026
    risk 0.59cvss 9.1epss 0.00

    In OCaml-TLS before 2.1.0, the server implementation does insufficient checks of the certificate provided by the client (when doing client authentication), which allows impersonation with certificates that are not meant for client authentication (because of KeyUsage and…

  • CVE-2026-45388CriJun 15, 2026
    risk 0.59cvss 9.1epss 0.00

    In OCaml-TLS before 2.1.0, the client implementation does insufficient checks of the certificate provided by the server, which allows impersonation with certificates that are not meant for server authentication (because of KeyUsage and ExtendedKeyUsage).

  • CVE-2015-8869CriJun 13, 2016
    risk 0.53cvss 9.1epss 0.05

    OCaml before 4.03.0 does not properly handle sign extensions, which allows remote attackers to conduct buffer overflow attacks or obtain sensitive information as demonstrated by a long string to the String.copy function.

  • CVE-2017-9779HigSep 7, 2017
    risk 0.51cvss 7.8epss 0.01

    OCaml compiler allows attackers to have unspecified impact via unknown vectors, a similar issue to CVE-2017-9772 "but with much less impact."

  • CVE-2026-34353MedMar 27, 2026
    risk 0.31cvss 5.9epss 0.00

    In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed.

  • CVE-2026-28364Feb 27, 2026
    risk 0.00cvss epss 0.00

    In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs…

  • CVE-2012-0839Feb 8, 2012
    risk 0.00cvss epss 0.03

    OCaml 3.12.1 and earlier computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.