Amazon Linux 2023 Security Advisory: ALAS2023-2026-1479
Advisory Released Date: 2026-03-25
Advisory Updated Date: 2026-03-25
Severity:
Important
Issue Overview:
In OCaml before 4.14.3 and 5.x before 5.4.1, a buffer over-read in Marshal deserialization (runtime/intern.c) enables remote code execution through a multi-phase attack chain. The vulnerability stems from missing bounds validation in the readblock() function, which performs unbounded memcpy() operations using attacker-controlled lengths from crafted Marshal data. (CVE-2026-28364)
Affected Packages:
ocaml
Issue Correction:
Run dnf update ocaml --releasever 2023.10.20260316 or dnf update --advisory ALAS2023-2026-1479 --releasever 2023.10.20260316 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
ocaml-ocamldoc-debuginfo-4.13.1-4.amzn2023.0.3.aarch64
ocaml-runtime-debuginfo-4.13.1-4.amzn2023.0.3.aarch64
ocaml-docs-4.13.1-4.amzn2023.0.3.aarch64
ocaml-source-4.13.1-4.amzn2023.0.3.aarch64
ocaml-debuginfo-4.13.1-4.amzn2023.0.3.aarch64
ocaml-debugsource-4.13.1-4.amzn2023.0.3.aarch64
ocaml-runtime-4.13.1-4.amzn2023.0.3.aarch64
ocaml-4.13.1-4.amzn2023.0.3.aarch64
ocaml-ocamldoc-4.13.1-4.amzn2023.0.3.aarch64
ocaml-compiler-libs-4.13.1-4.amzn2023.0.3.aarch64
src:
ocaml-4.13.1-4.amzn2023.0.3.src
x86_64:
ocaml-runtime-debuginfo-4.13.1-4.amzn2023.0.3.x86_64
ocaml-source-4.13.1-4.amzn2023.0.3.x86_64
ocaml-ocamldoc-debuginfo-4.13.1-4.amzn2023.0.3.x86_64
ocaml-docs-4.13.1-4.amzn2023.0.3.x86_64
ocaml-debugsource-4.13.1-4.amzn2023.0.3.x86_64
ocaml-debuginfo-4.13.1-4.amzn2023.0.3.x86_64
ocaml-runtime-4.13.1-4.amzn2023.0.3.x86_64
ocaml-4.13.1-4.amzn2023.0.3.x86_64
ocaml-ocamldoc-4.13.1-4.amzn2023.0.3.x86_64
ocaml-compiler-libs-4.13.1-4.amzn2023.0.3.x86_64