Platform
c
Component
mapserver
Fixed in
4.2.1
CVE-2026-33721 describes a buffer overflow vulnerability in MapServer, a system for developing web-based GIS applications. This vulnerability allows a remote, unauthenticated attacker to crash the MapServer process by exploiting a flaw in the Styled Layer Descriptor (SLD) parser. The vulnerability affects versions 4.2.0 and later, up to but not including version 8.6.1, and a patch is available in version 8.6.1.
An attacker can trigger this buffer overflow by sending a specially crafted SLD file to a vulnerable MapServer instance. The SLD file must contain more than 100 Threshold elements within a ColorMap/Categorize structure, a common scenario when using Web Map Service (WMS) GetMap requests with SLD_BODY. Successful exploitation results in a denial-of-service (DoS) condition, causing the MapServer process to crash. While the vulnerability doesn't directly lead to data exfiltration or remote code execution, the resulting service disruption can impact GIS applications and potentially expose underlying infrastructure. The ability to crash a critical service remotely makes this a significant concern, especially in environments where MapServer is used for public-facing GIS services.
CVE-2026-33721 was publicly disclosed on 2026-03-27. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to exploit given a basic understanding of SLD structure.
Exploit Status
EPSS
0.21% (43% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-33721 is to upgrade MapServer to version 8.6.1 or later, which contains the fix for the SLD parser vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Input validation on the server-side can be used to limit the number of Threshold elements within SLD files. Web Application Firewalls (WAFs) can be configured to detect and block requests containing excessively large SLD payloads. Monitor MapServer logs for unusual activity or crashes that might indicate exploitation attempts. After upgrading, confirm the fix by attempting to submit a crafted SLD file containing a large number of Threshold elements and verifying that the process does not crash.
Update MapServer to version 8.6.1 or later to mitigate the heap buffer overflow in the SLD parser. This update corrects the vulnerability by properly validating SLD input and preventing out-of-bounds buffer writes.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33721 is a buffer overflow vulnerability in MapServer versions 4.2.0 through 8.6.0. A crafted SLD file can cause the MapServer process to crash, leading to a denial-of-service.
You are affected if you are using MapServer versions 4.2.0 through 8.6.0. Upgrade to version 8.6.1 or later to resolve the vulnerability.
The recommended fix is to upgrade MapServer to version 8.6.1 or later. As a temporary workaround, implement input validation or WAF rules to limit SLD payload size.
There is currently no evidence of active exploitation of CVE-2026-33721, but the vulnerability's nature makes it potentially exploitable.
Refer to the official MapServer security advisories on their website for the latest information and updates regarding CVE-2026-33721.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.