CVE-2026-33721: MapServer: heap-buffer-overflow in SLD Categorize parser (msSLDParseRasterSymbolizer)
CVE-2026-33721 is verified against mapserver · c affected versions: 4.2.0 - 8.6.0 fixed version: 8.6.1 This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00183.
pruva-verify REPRO-2026-00183 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00183/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh MapServer is a CGI binary that parses OGC SLD (Styled Layer Descriptor) XML to style raster/vector layers it serves over WMS/WFS. msSLDParseRasterSymbolizer in src/mapogcsld.cpp (around line 2894) allocates a fixed-size buffer for 100 threshold pointers for a <se:Categorize> element. The reallocation guard checks the wrong variable — nValues == nMaxThreshold instead of nThresholds == nMaxThreshold. Because nValues increments at a different rate than nThresholds, reallocation never fires when the SLD contains more than 100 <se:Threshold> children, and the subsequent pointer writes spill past the 100-slot array.
The bug is reachable unauthenticated on any MapServer instance that accepts an SLD body in its WMS request (SLD_BODY parameter is the standard OGC angle; SLD URL-by-reference also reaches the same parser). Practical impact is at minimum a worker-process crash (CVSS A:H per NIST); depending on heap state, the spilled pointers may be controllable enough for a stronger consequence — that's outside the scope this ticket asks for, but it does NOT cap at "ASAN goes brr". The reproduction MUST hit the real mapserv CGI entry, not a unit-test harness.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.