Description
MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> — it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.
Published: 2026-05-27
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MapServer versions 6.4.0 through 8.6.3 contain a NULL pointer dereference in SLD rule parsing triggered by the <ElseFilter/> element in an SLD document delivered via the WMS SLD_BODY parameter. The flaw occurs when the rule contains no symbolizer, causing the parser to reference an out‑of‑bounds class index and crash the server. Attackers can exploit this by supplying a 200‑byte, well‑formed SLD without needing authentication, resulting in a denial of service.

Affected Systems

MapServer 6.4.0 up to, but not including, 8.6.3 are affected. All users running these releases should verify their installed version.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating a high impact and medium complexity to exploit. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Because the attack vector is a public WMS request that requires no authentication, the risk of exploitation is significant for exposed services.

Generated by OpenCVE AI on May 27, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MapServer to version 8.6.3 or later to remove the defect.
  • If an upgrade cannot be performed immediately, restrict or validate SLD_BODY submissions by applying input size limits or disallowing <ElseFilter/> elements through WMS configuration.
  • Restart the MapServer process after applying the upgrade or configuration changes to ensure the new code is active.

Generated by OpenCVE AI on May 27, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> — it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.
Title MapServer: NULL pointer dereference in SLD `<ElseFilter>` rule parsing reachable via WMS `SLD_BODY`
Weaknesses CWE-129
CWE-476
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-27T18:41:39.396Z

Reserved: 2026-05-08T19:27:26.699Z

Link: CVE-2026-45104

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-27T20:16:38.407

Modified: 2026-05-27T20:16:38.407

Link: CVE-2026-45104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:00:14Z

Weaknesses