Skip to main content

MapServer EUVDEUVD-2026-32631

| CVE-2026-45104 HIGH
Improper Validation of Array Index (CWE-129)
2026-05-27 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
May 27, 2026 - 21:04 EUVD
Analysis Generated
May 27, 2026 - 20:36 vuln.today

DescriptionGitHub Advisory

MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> - it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.

AnalysisAI

Denial of service in MapServer 6.4.0 through 8.6.2 allows remote unauthenticated attackers to crash the server by submitting a small well-formed SLD document via the WMS SLD_BODY= parameter. The flaw is a NULL pointer dereference reached when an SLD <Rule> carries <ElseFilter/> but defines no symbolizer, causing the styling code to index a class array at position -1. No public exploit has been identified at time of analysis, and the issue is fixed in version 8.6.3.

Technical ContextAI

MapServer is a widely deployed open-source server for web-based GIS that implements OGC services including WMS. The vulnerability lives in its Styled Layer Descriptor (SLD) handling: msSLDParseUserStyle unconditionally calls _SLDApplyRuleValues(psRule, psLayer, 1) for any rule containing <ElseFilter/>, assuming msSLDParseRule had created exactly one class. When the rule is structurally valid but contains no symbolizer, msSLDParseRule adds zero classes, so _SLDApplyRuleValues dereferences _class[-1]. This maps to CWE-129 (Improper Validation of Array Index): the code trusts an assumed array length instead of checking the actual class count before indexing, and the resulting negative index produces a NULL pointer dereference and process crash.

RemediationAI

Apply the vendor-released patch: upgrade to MapServer 8.6.3, which contains the fix. Where immediate upgrade is not possible, reduce exposure by disabling or restricting user-supplied SLD on the WMS service - block or reject the SLD_BODY and SLD parameters at a reverse proxy or WAF, and restrict network access to the WMS endpoint to trusted clients; the trade-off is that legitimate clients relying on dynamic SLD styling will lose that capability until patched. Refer to the advisory at https://github.com/MapServer/MapServer/security/advisories/GHSA-4h8g-378q-r75m for authoritative guidance.

Vendor StatusVendor

SUSE

Severity: High

Share

EUVD-2026-32631 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy