FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ocaml-opam -- opam install sandbox escape using symlinks

Affected packages
ocaml-opam < 2.5.2

Details

VuXML ID b478ff13-7f6e-11f1-b594-3c7c3fba4204
Discovery 2026-07-12
Entry 2026-07-14

The OCaml Team reports:

Installing files through .install files do not check symlinks resolution of the target path, and so can bypass sandboxing.

Credits:
Reporter: "Kate Deplaix"
Remediation Developer: "Nathan Rebours"
Remediation Reviewer: "Raja Boujbel"
Coordinator: "Hannes Mehnert"

References

CVE Name CVE-2026-57825
URL https://github.com/ocaml/security-advisories/blob/main/advisories/2026/OSEC-2026-10.md
URL https://nvd.nist.gov/vuln/detail/CVE-2026-57825