CVE-2026-33721

NameCVE-2026-33721
DescriptionMapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4537-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
mapserver (PTS)bullseye7.6.2-1vulnerable
bullseye (security)7.6.2-1+deb11u2fixed
bookworm8.0.0-3vulnerable
trixie8.4.0-4+deb13u1vulnerable
forky, sid8.6.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
mapserversourcebullseye7.6.2-1+deb11u2DLA-4537-1
mapserversource(unstable)8.6.1-1

Notes

https://github.com/MapServer/MapServer/security/advisories/GHSA-cv4m-mr84-fgjp
Fixed by: https://github.com/MapServer/MapServer/commit/fb08dad4afee081b81c57ca0c5d37c149e7755f9 (rel-8-6-1)
Search for package or bug name: Reporting problems