PatchSiren cyber security CVE debrief

CVE-2026-45104 MapServer CVE debrief

MapServer versions 6.4.0 through 8.6.2 contain a NULL pointer dereference vulnerability in SLD (Styled Layer Descriptor) parsing. The flaw resides in `msSLDParseUserStyle`, which unconditionally calls `_SLDApplyRuleValues(psRule, psLayer, 1)` for any `<Rule>` element containing `<ElseFilter/>`. This assumes that `msSLDParseRule` has added at least one class to the layer. However, when a rule lacks any symbolizer—a structurally valid SLD configuration—`msSLDParseRule` adds zero classes. The subsequent call to `_SLDApplyRuleValues` then attempts to access `_class[-1]`, resulting in a NULL pointer dereference and denial of service. The vulnerability is exploitable without authentication via the WMS `SLD_BODY=` parameter using a minimal 200-byte SLD payload. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects network accessibility, low attack complexity, no privileges required, and high availability impact. CWE-129 (Improper Validation of Array Index) and CWE-476 (NULL Pointer Dereference) are the identified weakness categories. The issue was remediated in MapServer 8.6.3.

Vendor: MapServer
Product: Unknown
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Organizations operating MapServer-based geospatial web services, particularly those exposing WMS endpoints to untrusted networks. GIS infrastructure administrators, security teams responsible for geospatial application security, and developers maintaining custom MapServer deployments should prioritize assessment and patching.

Technical summary

The vulnerability exists in the SLD parsing implementation within MapServer's mapogcsld.c. The function `msSLDParseUserStyle` processes `<UserStyle>` elements and handles `<Rule>` sub-elements. When encountering a `<Rule>` with `<ElseFilter/>`, it invokes `_SLDApplyRuleValues` with a hardcoded class index of 1, assuming prior class creation by `msSLDParseRule`. The function `msSLDParseRule` creates classes only when symbolizers are present. A valid SLD may contain a rule with ElseFilter but no symbolizers, resulting in zero classes added. The index calculation `psLayer->numclasses-1` becomes -1, causing out-of-bounds array access and NULL pointer dereference when `_SLDApplyRuleValues` attempts to modify the non-existent class. The WMS interface exposes this parsing code through the SLD_BODY parameter, enabling remote unauthenticated exploitation. The fix in 8.6.3 adds proper validation to ensure class existence before applying rule values.

Defensive priority

HIGH

Recommended defensive actions

Upgrade MapServer to version 8.6.3 or later to remediate this vulnerability
If immediate patching is not feasible, restrict or disable WMS SLD_BODY parameter access at the network perimeter
Monitor WMS access logs for anomalous SLD_BODY requests containing ElseFilter constructs
Review MapServer deployments for versions 6.4.0 through 8.6.2 and prioritize patching for internet-facing instances
Validate SLD parsing logic in custom MapServer builds if running modified versions

Evidence notes

Vulnerability description derived from CVE-2026-45104 record and GitHub Security Advisory GHSA-4h8g-378q-r75m. Affected version range 6.4.0 to before 8.6.3 confirmed. Attack vector via WMS SLD_BODY parameter with unauthenticated access explicitly stated. CVSS 3.1 score 7.5 (HIGH) and vector confirmed. CWE-129 and CWE-476 classifications from primary source. Fix version 8.6.3 confirmed.

Official resources

2026-05-27