CVE-2026-45104
Analyzed Analyzed - Analysis Complete
NULL Pointer Dereference in MapServer SLD Processing

Publication date: 2026-05-27

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> β€” it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-06-02
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-45104
EUVD
EUVD-2026-32631
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
osgeo mapserver From 6.4.0 (inc) to 8.6.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-476 The product dereferences a pointer that it expects to be valid but is NULL.
CWE-129 The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability results in a NULL pointer dereference, which can cause the MapServer application to crash or become unavailable.

Since the CVSS score rates the impact on availability as high (A:H), this means an attacker can cause a denial of service (DoS) condition remotely without authentication.

Compliance Impact

The vulnerability in MapServer allows remote denial-of-service (DoS) attacks that can cause worker process crashes or full outages in affected environments. While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, availability disruptions caused by this vulnerability could impact compliance with regulations that require maintaining system availability and reliability.

Specifically, regulations like GDPR and HIPAA mandate ensuring the availability of systems processing personal or sensitive data. A denial-of-service condition resulting from this vulnerability could lead to service interruptions, potentially violating these availability requirements.

However, there is no direct information in the provided context or resources linking this vulnerability to data confidentiality or integrity breaches, which are also critical for compliance.

Detection Guidance

This vulnerability can be detected by sending a crafted SLD payload via the WMS SLD_BODY parameter to the MapServer instance and observing if it causes a crash or denial of service.

A practical detection method is to send a well-formed SLD XML payload of about 200 bytes containing an <ElseFilter/> rule with no symbolizer to the vulnerable WMS GetMap endpoint and check for process crashes or service outages.

Example command using curl to test the vulnerability (replace <URL> with your MapServer WMS endpoint):

  • curl -X GET "<URL>?SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap&LAYERS=layername&STYLES=&SLD_BODY=<StyledLayerDescriptor><UserStyle><FeatureTypeStyle><Rule><ElseFilter/></Rule></FeatureTypeStyle></UserStyle></StyledLayerDescriptor>"

Monitor the MapServer process or service logs for crashes or segmentation faults after sending this request.

Executive Summary

This vulnerability exists in MapServer versions from 6.4.0 to before 8.6.3. It occurs because the function msSLDParseUserStyle always calls _SLDApplyRuleValues with an assumption that a class has been added for any <Rule> containing <ElseFilter/>. However, if the rule has no symbolizer (which is still structurally valid), no class is added, causing _SLDApplyRuleValues to access an invalid index, leading to a NULL pointer dereference.

An attacker can trigger this vulnerability by sending a well-formed 200-byte SLD (Styled Layer Descriptor) via the WMS SLD_BODY= parameter without requiring any authentication.

This issue is fixed in MapServer version 8.6.3.

Mitigation Strategies

The vulnerability is fixed in MapServer version 8.6.3. Immediate mitigation involves upgrading your MapServer installation to version 8.6.3 or later.

Since the vulnerability can be triggered by a 200-byte well-formed SLD via the WMS SLD_BODY= parameter without authentication, restricting or filtering access to this parameter at the network or application level may help reduce exposure until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45104. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart