CVE-2026-33721 - Vulnerability Details

Description

MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue.

Published: 2026-03-27

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

MapServer parses styled layer descriptors (SLD) using a Categorize function that allows a client to specify a Threshold for each color in a ColorMap. When a crafted SLD contains more than 100 Threshold elements inside a ColorMap/Categorize structure, the parser writes beyond the allocated heap buffer, causing a heap‑buffer‑overflow. The resulting overflow generally crashes the MapServer process, leading to a denial‑of‑service attack. The vulnerability is identified as a heap buffer overflow (CWE‑787) and does not provide a direct path to code execution.

Affected Systems

MapServer, the open‑source web‑GIS platform, is impacted from version 4.2 up to, but not including, 8.6.1. Any deployment running a vulnerable MapServer instance that accepts remote SLD_BODY requests over the Web Map Service (WMS) interface is susceptible. Version 8.6.1 and later contain the patch that eliminates the overflow bug.

Risk and Exploitability

With a CVSS score of 5.3, the severity is considered medium; exploitation requires a remote, unauthenticated attacker to deliver a crafted SLD through the WMS GetMap request. EPSS data is not available, and the issue is not listed in CISA’s KEV catalog, suggesting a lower likelihood of widespread exploitation today. Nonetheless, because the condition can be triggered remotely, the risk to availability remains significant for exposed services.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MapServer

affected

Version	Status	Constraints
`>= 4.2, < 8.6.1`	affected	—

No data.

Vendor Product Confidence Versions

Mapserver

100%

Version	Status	Scheme	Platform
`[4.2,8.6.1)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest MapServer release (8.6.1 or newer) that patches the heap‑buffer‑overflow bug.
If an upgrade is not immediately feasible, restrict WMS access to trusted clients or remove the ability to provide custom SLD_BODY requests.
Consider deploying a Web Application Firewall (WAF) rule to reject SLD_BODY payloads containing more than 100 Threshold elements.
Verify that the MapServer configuration does not expose the vulnerable SLD parsing path to public networks.

Generated by OpenCVE AI on March 27, 2026 at 06:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00072.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1
https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp
https://nvd.nist.gov/vuln/detail/CVE-2026-33721
https://www.cve.org/CVERecord?id=CVE-2026-33721

History

Fri, 27 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-33721 https://www.cve.org/CVERecord?id=CVE-2026-33721
Metrics	threat_severity `None`	threat_severity `Important`

Fri, 27 Mar 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mapserver Mapserver mapserver
Vendors & Products		Mapserver Mapserver mapserver

Fri, 27 Mar 2026 04:00:00 +0000

Type	Values Removed	Values Added
Description		MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue.
Title		MapServer has heap buffer overflow in SLD `Categorize` Threshold parsing
Weaknesses		CWE-787
References		https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1 https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

Mapserver Mapserver

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-27T00:15:00.360Z

Updated: 2026-03-27T00:15:00.360Z

Reserved: 2026-03-23T17:34:57.559Z

Link: CVE-2026-33721

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-27T01:16:19.670

Modified: 2026-03-27T01:16:19.670

Link: CVE-2026-33721

Redhat

Severity : Important

Publid Date: 2026-03-27T00:15:00Z

Links: CVE-2026-33721 - Bugzilla

OpenCVE Enrichment

Updated: 2026-03-27T09:22:36Z

Weaknesses

CWE-787

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object