Skip to content
Verified reproduction

CVE-2026-33721: MapServer: heap-buffer-overflow in SLD Categorize parser (msSLDParseRasterSymbolizer)

CVE-2026-33721 is verified against mapserver · c affected versions: 4.2.0 - 8.6.0 fixed version: 8.6.1 This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00183.

REPRO-2026-00183 mapserver · c Variant found May 28, 2026 CVE entry .txt
Severity HIGH
Confidence HIGH
Reproduced in 14m 33s
Tool calls 177
Spend $1.33
Affected 4.2.0 - 8.6.0
Fixed in 8.6.1
$ pruva-verify REPRO-2026-00183
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00183/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

MapServer is a CGI binary that parses OGC SLD (Styled Layer Descriptor) XML to style raster/vector layers it serves over WMS/WFS. msSLDParseRasterSymbolizer in src/mapogcsld.cpp (around line 2894) allocates a fixed-size buffer for 100 threshold pointers for a <se:Categorize> element. The reallocation guard checks the wrong variablenValues == nMaxThreshold instead of nThresholds == nMaxThreshold. Because nValues increments at a different rate than nThresholds, reallocation never fires when the SLD contains more than 100 <se:Threshold> children, and the subsequent pointer writes spill past the 100-slot array.

The bug is reachable unauthenticated on any MapServer instance that accepts an SLD body in its WMS request (SLD_BODY parameter is the standard OGC angle; SLD URL-by-reference also reaches the same parser). Practical impact is at minimum a worker-process crash (CVSS A:H per NIST); depending on heap state, the spilled pointers may be controllable enough for a stronger consequence — that's outside the scope this ticket asks for, but it does NOT cap at "ASAN goes brr". The reproduction MUST hit the real mapserv CGI entry, not a unit-test harness.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.