NVD - CVE-2026-33721 (original) (raw)
Description
MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue.
Metrics
NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.
CVSS 4.0 Severity and Vector Strings:
NIST: NVD
NVD assessment not yet provided.
CVSS 3.x Severity and Vector Strings:
NIST: NVD
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CNA: GitHub, Inc.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVSS 2.0 Severity and Vector Strings:
NIST: NVD
Base Score: N/A
NVD assessment not yet provided.
Weakness Enumeration
| CWE-ID | CWE Name | Source |
|---|---|---|
| CWE-787 | Out-of-bounds Write | GitHub, Inc. |
Known Affected Software Configurations Switch to CPE 2.2
Change History
3 change records found show changes
CVE Modified by CVE 4/17/2026 2:16:31 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Reference | https://lists.debian.org/debian-lts-announce/2026/04/msg00017.html |
Initial Analysis by NIST 4/01/2026 11:58:41 AM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | CVSS V3.1 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | |
| Added | CPE Configuration | OR *cpe:2.3:a:osgeo:mapserver:*:*:*:*:*:*:*:* versions from (including) 4.2.0 up to (excluding) 8.6.1 | |
| Added | Reference Type | GitHub, Inc.: https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1 Types: Product, Release Notes | |
| Added | Reference Type | GitHub, Inc.: https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp Types: Exploit, Mitigation, Vendor Advisory |
New CVE Received from GitHub, Inc. 3/26/2026 9:16:19 PM
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue. | |
| Added | CVSS V3.1 | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | |
| Added | CWE | CWE-787 | |
| Added | Reference | https://github.com/MapServer/MapServer/releases/tag/rel-8-6-1 | |
| Added | Reference | https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp |