{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33721", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.559Z", "datePublished": "2026-03-27T00:15:00.360Z", "dateUpdated": "2026-04-17T17:18:03.353Z"}, "containers": {"cna": {"title": "MapServer has heap buffer overflow in SLD `Categorize` Threshold parsing", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp"}, {"name": "https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1", "tags": ["x_refsource_MISC"], "url": "https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1"}], "affected": [{"vendor": "MapServer", "product": "MapServer", "versions": [{"version": ">= 4.2, < 8.6.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:15:00.360Z"}, "descriptions": [{"lang": "en", "value": "MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer\u2019s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue."}], "source": {"advisory": "GHSA-cv4m-mr84-fgjp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T11:51:50.279171Z", "id": "CVE-2026-33721", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:52:01.621Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00017.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-17T17:18:03.353Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00017.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-17T17:18:03.353Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33721", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T11:51:50.279171Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T11:51:57.689Z"}}], "cna": {"title": "MapServer has heap buffer overflow in SLD `Categorize` Threshold parsing", "source": {"advisory": "GHSA-cv4m-mr84-fgjp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "MapServer", "product": "MapServer", "versions": [{"status": "affected", "version": ">= 4.2, < 8.6.1"}]}], "references": [{"url": "https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp", "name": "https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1", "name": "https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer\u2019s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-27T00:15:00.360Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33721", "state": "PUBLISHED", "dateUpdated": "2026-04-17T17:18:03.353Z", "dateReserved": "2026-03-23T17:34:57.559Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-27T00:15:00.360Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:osgeo:mapserver:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1105790-48FD-4133-8056-68A8138CDC66", "versionEndExcluding": "8.6.1", "versionStartIncluding": "4.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer\u2019s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue."}, {"lang": "es", "value": "MapServer es un sistema para desarrollar aplicaciones GIS basadas en web. A partir de la versi\u00f3n 4.2 y antes de la versi\u00f3n 8.6.1, una escritura de desbordamiento de b\u00fafer de pila en el analizador SLD (Styled Layer Descriptor) de MapServer permite a un atacante remoto no autenticado bloquear el proceso de MapServer al enviar un SLD manipulado con m\u00e1s de 100 elementos Threshold dentro de una estructura ColorMap/Categorize (com\u00fanmente accesible a trav\u00e9s de WMS GetMap con SLD_BODY). La versi\u00f3n 8.6.1 corrige el problema."}], "id": "CVE-2026-33721", "lastModified": "2026-04-17T18:16:31.640", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-27T01:16:19.670", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2026/04/msg00017.html"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{"bugzilla": {"description": "MapServer: MapServer: Denial of Service via crafted Styled Layer Descriptor", "id": "2452066", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2452066"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["A flaw was found in MapServer, a system for developing web-based Geographic Information System (GIS) applications. A remote, unauthenticated attacker can exploit a heap-buffer-overflow vulnerability by sending a specially crafted Styled Layer Descriptor (SLD) with an excessive number of Threshold elements. This can cause the MapServer process to crash, leading to a Denial of Service (DoS)."], "mitigation": {"lang": "en:us", "value": "Restrict network access to the MapServer instance to trusted clients only. Implement firewall rules to limit inbound connections to the MapServer service, ensuring that only authorized users or systems can submit Styled Layer Descriptor (SLD) requests. If MapServer functionality is not required, consider disabling or uninstalling the MapServer package to eliminate the attack surface. If a web application firewall (WAF) is in use, configure it to inspect and potentially filter overly large or malformed SLD requests."}, "name": "CVE-2026-33721", "public_date": "2026-03-27T00:15:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-33721\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-33721\nhttps://github.com/MapServer/MapServer/releases/tag/rel-8-6-1\nhttps://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp"], "statement": "This is an Important denial of service vulnerability in MapServer, a system for developing web-based GIS applications. A remote, unauthenticated attacker can trigger a heap-buffer-overflow by sending a specially crafted Styled Layer Descriptor (SLD) with an excessive number of Threshold elements, causing the MapServer process to crash. This affects Red Hat Community Projects that include MapServer versions prior to 8.6.1.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.2,8.6.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "MapServer", "source": "cna", "vendor": "MapServer"}, "product": "mapserver", "vendor": "mapserver"}], "analysis": {"en": {"generated_at": "2026-04-02T04:13:07.741313+00:00", "value": {"mitigation_remediation": ["Update MapServer to version 8.6.1 or later.", "If an immediate upgrade is not possible, disable SLD_BODY processing or restrict WMS endpoints to trusted networks.", "Monitor server logs for repeated crash indications and apply temporary service hardening such as limiting the number of Threshold elements allowed.", "Verify that no older MapServer binaries are running on the system."], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "This weakness impacts MapServer versions starting from 4.2 up to, but not including, 8.6.1. The affected product is the MapServer GIS server developed by OSGeo.", "description_and_impact": "A heap buffer overflow occurs in the Styled Layer Descriptor (SLD) parser of MapServer when more than 100 Threshold elements are present in a ColorMap/Categorize block. An attacker can supply a crafted SLD via the WMS GetMap request (using the SLD_BODY parameter) to trigger the overflow, causing the MapServer process to crash. The overflow is a classic memory corruption flaw (CWE\u2011787) that leads to a denial\u2011of\u2011service condition.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1\u202f% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need network access to a MapServer instance that accepts SLD_BODY in WMS GetMap requests, but no authentication is required. Once the crafted SLD is processed, the server crashes, interrupting availability for all clients until restarted."}}}}, "created": "2026-03-27T08:31:14.407033+00:00", "updated": "2026-04-02T07:55:55.993903+00:00", "vendors": ["mapserver", "mapserver$PRODUCT$mapserver"]}