{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33721", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.559Z", "datePublished": "2026-03-27T00:15:00.360Z", "dateUpdated": "2026-03-27T00:15:00.360Z"}, "containers": {"cna": {"title": "MapServer has heap buffer overflow in SLD `Categorize` Threshold parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp"}, {"name": "https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1", "tags": ["x_refsource_MISC"], "url": "https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1"}], "affected": [{"vendor": "MapServer", "product": "MapServer", "versions": [{"version": ">= 4.2, < 8.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:15:00.360Z"}, "descriptions": [{"lang": "en", "value": "MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer\u2019s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue."}], "source": {"advisory": "GHSA-cv4m-mr84-fgjp", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer\u2019s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue."}], "id": "CVE-2026-33721", "lastModified": "2026-03-27T01:16:19.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-27T01:16:19.670", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1"}, {"source": "security-advisories@github.com", "url": "https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "MapServer: MapServer: Denial of Service via crafted Styled Layer Descriptor", "id": "2452066", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452066"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["A flaw was found in MapServer, a system for developing web-based Geographic Information System (GIS) applications. A remote, unauthenticated attacker can exploit a heap-buffer-overflow vulnerability by sending a specially crafted Styled Layer Descriptor (SLD) with an excessive number of Threshold elements. This can cause the MapServer process to crash, leading to a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Restrict network access to the MapServer instance to trusted clients only. Implement firewall rules to limit inbound connections to the MapServer service, ensuring that only authorized users or systems can submit Styled Layer Descriptor (SLD) requests. If MapServer functionality is not required, consider disabling or uninstalling the MapServer package to eliminate the attack surface. If a web application firewall (WAF) is in use, configure it to inspect and potentially filter overly large or malformed SLD requests."}, "name": "CVE-2026-33721", "public_date": "2026-03-27T00:15:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33721\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33721\nhttps://github.com/MapServer/MapServer/releases/tag/rel-8-6-1\nhttps://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp"], "statement": "This is an Important denial of service vulnerability in MapServer, a system for developing web-based GIS applications. A remote, unauthenticated attacker can trigger a heap-buffer-overflow by sending a specially crafted Styled Layer Descriptor (SLD) with an excessive number of Threshold elements, causing the MapServer process to crash. This affects Red Hat Community Projects that include MapServer versions prior to 8.6.1.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.2,8.6.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MapServer", "source": "cna", "vendor": "MapServer"}, "product": "mapserver", "vendor": "mapserver"}], "analysis": {"en": {"generated_at": "2026-03-27T06:25:20.045299+00:00", "value": {"mitigation_remediation": ["Apply the latest MapServer release (8.6.1 or newer) that patches the heap\u2011buffer\u2011overflow bug.", "If an upgrade is not immediately feasible, restrict WMS access to trusted clients or remove the ability to provide custom SLD_BODY requests.", "Consider deploying a Web Application Firewall (WAF) rule to reject SLD_BODY payloads containing more than 100 Threshold elements.", "Verify that the MapServer configuration does not expose the vulnerable SLD parsing path to public networks."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "MapServer, the open\u2011source web\u2011GIS platform, is impacted from version 4.2 up to, but not including, 8.6.1. Any deployment running a vulnerable MapServer instance that accepts remote SLD_BODY requests over the Web Map Service (WMS) interface is susceptible. Version 8.6.1 and later contain the patch that eliminates the overflow bug.", "description_and_impact": "MapServer parses styled layer descriptors (SLD) using a Categorize function that allows a client to specify a Threshold for each color in a ColorMap. When a crafted SLD contains more than 100 Threshold elements inside a ColorMap/Categorize structure, the parser writes beyond the allocated heap buffer, causing a heap\u2011buffer\u2011overflow. The resulting overflow generally crashes the MapServer process, leading to a denial\u2011of\u2011service attack. The vulnerability is identified as a heap buffer overflow (CWE\u2011787) and does not provide a direct path to code execution.", "risk_and_exploitability": "With a CVSS score of 5.3, the severity is considered medium; exploitation requires a remote, unauthenticated attacker to deliver a crafted SLD through the WMS GetMap request. EPSS data is not available, and the issue is not listed in CISA\u2019s KEV catalog, suggesting a lower likelihood of widespread exploitation today. Nonetheless, because the condition can be triggered remotely, the risk to availability remains significant for exposed services."}}}}, "created": "2026-03-27T08:31:14.407033+00:00", "updated": "2026-03-27T09:22:36.636909+00:00", "vendors": ["mapserver", "mapserver$PRODUCT$mapserver"]}