Executive Summary

CVE-2026-33721 is a heap buffer overflow vulnerability in MapServer's SLD (Styled Layer Descriptor) parser affecting versions 4.2 up to 8.6.0. The issue arises in the function that parses Threshold elements within a ColorMap/Categorize structure. The parser allocates memory for up to 100 Threshold entries but incorrectly checks the number of nodes instead of the number of Threshold elements, allowing an attacker to send more than 100 Threshold elements and cause an out-of-bounds write beyond the allocated heap buffer.

This vulnerability can be triggered remotely and without authentication by sending a specially crafted SLD, commonly via WMS GetMap requests with SLD_BODY enabled. The overflow leads to memory corruption, specifically an 8-byte pointer overwrite per extra Threshold element, which can crash the MapServer process.

Useful 0 Not Useful 0

Impact Analysis

The primary impact of this vulnerability is a denial-of-service condition caused by crashing the MapServer process. Since the heap buffer overflow corrupts memory, it can cause the server to terminate unexpectedly when processing malicious SLD requests.

The vulnerability does not affect confidentiality or integrity of data, but it does impact availability, potentially disrupting GIS services that rely on MapServer.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for crashes or denial-of-service events in MapServer processes when handling WMS GetMap requests with SLD_BODY parameters.

Specifically, detection involves identifying crafted SLD XML payloads containing more than 100 Threshold elements inside a ColorMap/Categorize structure.

Network detection can be done by capturing and inspecting WMS GetMap requests for unusually large or suspicious SLD_BODY parameters with excessive Threshold elements.

While no explicit commands are provided in the resources, a practical approach includes using network packet capture tools like tcpdump or Wireshark to filter HTTP requests to MapServer endpoints and searching for SLD_BODY parameters with large Categorize Threshold counts.

• Example tcpdump command to capture HTTP traffic to MapServer: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
• Use grep or XML parsing tools on captured data to identify SLD_BODY parameters with more than 100 Threshold elements.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade MapServer to version 8.6.1 or later, where the vulnerability has been patched.

If upgrading is not immediately possible, consider disabling or restricting the use of SLD_BODY parameters in WMS GetMap requests to prevent processing of potentially malicious SLDs.

Additionally, monitor MapServer logs and network traffic for suspicious requests containing large numbers of Threshold elements and block or rate-limit such requests.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in MapServer is a heap-buffer-overflow that can be triggered remotely to cause a denial-of-service by crashing the process. It does not impact confidentiality or integrity of data, only availability to a low degree.

Since the vulnerability does not lead to unauthorized data access or data leakage, it is unlikely to directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on protecting personal data confidentiality and integrity.

However, the availability impact, although low, could potentially affect service continuity requirements under some standards if exploited in a production environment.

Useful 0 Not Useful 0