Join the Cyber Forum: Threat Intel on May 12, 2026 to learn how AI is reshaping threat defense.Join the Virtual Cyber Forum: Threat IntelRegister Now
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33721

CVE-2026-33721: OSGeo MapServer Buffer Overflow Flaw

CVE-2026-33721 is a heap buffer overflow vulnerability in OSGeo MapServer's SLD parser that allows remote attackers to crash the server. This article covers the technical details, affected versions, and mitigation.

Published: April 3, 2026

CVE-2026-33721 Overview

CVE-2026-33721 is a heap-buffer-overflow write vulnerability in MapServer's Styled Layer Descriptor (SLD) parser that affects versions 4.2 through 8.6.0 of the popular open-source web-based GIS application development platform. The vulnerability allows a remote, unauthenticated attacker to crash the MapServer process by sending a crafted SLD containing more than 100 Threshold elements inside a ColorMap/Categorize structure. This attack vector is commonly reachable via WMS GetMap requests with the SLD_BODY parameter.

Critical Impact

Remote unauthenticated attackers can exploit this heap-buffer-overflow to cause denial of service by crashing MapServer instances, potentially disrupting critical GIS services and web mapping applications.

Affected Products

  • OSGeo MapServer versions 4.2 through 8.6.0
  • MapServer WMS (Web Map Service) endpoints accepting SLD_BODY parameters
  • Any web-based GIS applications built on vulnerable MapServer versions

Discovery Timeline

  • 2026-03-27 - CVE-2026-33721 published to NVD
  • 2026-04-01 - Last updated in NVD database

Technical Details for CVE-2026-33721

Vulnerability Analysis

This vulnerability is classified as CWE-787 (Out-of-Bounds Write), a memory corruption issue in the SLD parser component of MapServer. The root cause lies in the parser's handling of ColorMap/Categorize structures, where insufficient bounds checking allows an attacker to trigger a heap-buffer-overflow when more than 100 Threshold elements are processed. The attack requires no authentication and can be executed remotely over the network with low complexity, making it a significant availability threat to exposed MapServer instances.

Root Cause

The vulnerability originates from inadequate input validation in MapServer's SLD parsing logic. When processing ColorMap/Categorize structures, the parser allocates a fixed-size buffer on the heap to store Threshold elements. However, the code fails to properly validate the number of Threshold elements before writing them to this buffer. When an attacker supplies more than 100 Threshold elements, the parser writes beyond the allocated buffer boundary, causing a heap-buffer-overflow that corrupts memory and crashes the MapServer process.

Attack Vector

The attack is executed remotely over the network, typically through the WMS GetMap interface. An attacker crafts a malicious SLD document containing a ColorMap/Categorize structure with more than 100 Threshold elements. This payload is then delivered to the vulnerable MapServer instance via the SLD_BODY parameter in a WMS GetMap request. The vulnerability requires no prior authentication or user interaction, allowing any unauthenticated remote attacker to exploit it.

The exploitation flow involves:

  1. Identifying a MapServer instance with WMS capabilities enabled
  2. Constructing a malicious SLD document with excessive Threshold elements in a ColorMap/Categorize structure
  3. Sending the crafted SLD via the SLD_BODY parameter in a WMS GetMap request
  4. The parser attempts to process all Threshold elements, overflowing the heap buffer
  5. Memory corruption occurs, resulting in a crash of the MapServer process

For technical details on the vulnerability mechanism, see the GitHub Security Advisory.

Detection Methods for CVE-2026-33721

Indicators of Compromise

  • Unexpected MapServer process crashes or restarts
  • WMS GetMap requests containing unusually large SLD_BODY parameters
  • HTTP requests with SLD XML containing numerous <Threshold> elements within <ColorMap> or <Categorize> structures
  • Error logs indicating memory allocation failures or segmentation faults in MapServer

Detection Strategies

  • Monitor web application firewall (WAF) logs for WMS requests with SLD_BODY parameters containing excessive XML elements
  • Implement intrusion detection rules to flag SLD documents with more than 100 Threshold elements
  • Deploy application-level logging to track SLD parsing operations and identify anomalous requests
  • Use memory sanitizers in development/testing environments to detect heap overflow attempts

Monitoring Recommendations

  • Enable verbose logging on MapServer instances to capture detailed request information
  • Configure alerting for MapServer process crashes or unexpected restarts
  • Implement rate limiting on WMS endpoints to mitigate automated exploitation attempts
  • Monitor system health metrics for signs of denial of service conditions

How to Mitigate CVE-2026-33721

Immediate Actions Required

  • Upgrade MapServer to version 8.6.1 or later immediately
  • If immediate patching is not possible, consider temporarily disabling SLD_BODY parameter support in WMS configurations
  • Implement web application firewall rules to filter requests with excessive Threshold elements in SLD documents
  • Review and restrict network access to MapServer WMS endpoints to trusted sources where feasible

Patch Information

OSGeo has released MapServer version 8.6.1 which addresses this heap-buffer-overflow vulnerability. The patch adds proper bounds checking to the SLD parser to prevent the overflow condition when processing ColorMap/Categorize structures. Organizations should upgrade to this version or later to fully remediate the vulnerability.

For detailed patch information, refer to the MapServer 8.6.1 Release Notes and the GitHub Security Advisory.

Workarounds

  • Disable WMS SLD_BODY parameter support if not required for your deployment
  • Implement input validation at the web server or reverse proxy level to reject SLD documents with more than 100 Threshold elements
  • Deploy a WAF rule to inspect and block malicious SLD payloads before they reach MapServer
  • Isolate MapServer instances behind network segmentation to limit exposure to untrusted networks
bash
# Example Apache configuration to disable SLD_BODY parameter
# Add to your MapServer virtual host configuration
<LocationMatch "/cgi-bin/mapserv">
    # Block requests containing SLD_BODY parameter
    SetEnvIf Query_String "SLD_BODY" block_sld
    Deny from env=block_sld
</LocationMatch>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechOsgeo Mapserver
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.21%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-787
  • Technical References
  • GitHub Release Note
  • Vendor Resources
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-30479: MapServer DLL Injection Vulnerability
  • CVE-2025-59431: Osgeo MapServer SQLi Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English