Upstream information

CVE-2026-33721 at MITRE

Description

MapServer is a system for developing web-based GIS applications. Starting in version 4.2 and prior to version 8.6.1, a heap-buffer-overflow write in MapServer's SLD (Styled Layer Descriptor) parser lets a remote, unauthenticated attacker crash the MapServer process by sending a crafted SLD with more than 100 Threshold elements inside a ColorMap/Categorize structure (commonly reachable via WMS GetMap with SLD_BODY). Version 8.6.1 patches the issue.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v3 Scores
CVSS detail CNA (GitHub) National Vulnerability Database
Base Score 5.3 7.5
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network Network
Attack Complexity Low Low
Privileges Required None None
User Interaction None None
Scope Unchanged Unchanged
Confidentiality Impact None None
Integrity Impact None None
Availability Impact Low High
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1260869 [NEW]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
openSUSE Leap 16.0
  • libjavamapscript >= 8.6.1-bp160.1.1
  • libmapserver2 >= 8.6.1-bp160.1.1
  • mapserver >= 8.6.1-bp160.1.1
  • mapserver-devel >= 8.6.1-bp160.1.1
  • perl-mapscript >= 8.6.1-bp160.1.1
  • php-mapscriptng >= 8.6.1-bp160.1.1
  • python313-mapserver >= 8.6.1-bp160.1.1
 Patchnames:
openSUSE-Leap-16.0-packagehub-190
openSUSE Tumbleweed
  • libjavamapscript >= 8.6.1-1.1
  • libmapserver2 >= 8.6.1-1.1
  • mapserver >= 8.6.1-1.1
  • mapserver-devel >= 8.6.1-1.1
  • perl-mapscript >= 8.6.1-1.1
  • php-mapscriptng >= 8.6.1-1.1
  • python311-mapserver >= 8.6.1-1.1
  • python313-mapserver >= 8.6.1-1.1
 Patchnames:
openSUSE-Tumbleweed-2026-10452

SUSE Timeline for this CVE

CVE page created: Fri Mar 27 04:00:31 2026
CVE page last modified: Thu Apr 9 13:04:19 2026