CVE-2026-33721
Published: 27 March 2026
Summary
CVE-2026-33721 is a medium-severity Out-of-bounds Write (CWE-787) vulnerability in Osgeo Mapserver. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 46.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2026-33721 is a heap-buffer-overflow write vulnerability in the Styled Layer Descriptor (SLD) parser of MapServer, an open-source system for developing web-based GIS applications. The flaw affects MapServer versions starting from 4.2 up to but not including 8.6.1. It stems from improper handling of SLD structures, specifically when processing more than 100 Threshold elements within a ColorMap or Categorize element, classified under CWE-787 (Out-of-bounds Write). The issue carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity primarily due to availability impact.
A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted SLD document to a vulnerable MapServer instance, commonly via a WMS GetMap request containing an SLD_BODY parameter. Successful exploitation triggers a heap buffer overflow during parsing, causing the MapServer process to crash and resulting in a denial-of-service condition. No user interaction is required, and the attack is straightforward given the low complexity and network accessibility.
Mitigation is available through upgrading to MapServer version 8.6.1 or later, which includes a patch for the SLD parser issue, as detailed in the official release notes. The MapServer security advisory (GHSA-cv4m-mr84-fgjp) confirms the fix and provides additional context on the vulnerability. Debian LTS users are also advised via announcement to apply relevant updates for affected packages.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-16501
Vulnerability details
MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer’s SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a…
more
crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in public-facing MapServer WMS/SLD parser directly enables remote unauthenticated crash of the application process, matching application exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the heap-buffer-overflow by requiring timely remediation through patching to MapServer version 8.6.1 or later.
Requires validation of untrusted SLD inputs in WMS GetMap requests to reject crafted structures with excessive Threshold elements, preventing parser overflow.
Implements memory protection mechanisms like address space layout randomization and stack guards to mitigate heap buffer overflow exploits in the SLD parser.