CVE-2026-45104
Description
MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any carrying — it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A NULL pointer dereference in MapServer's SLD ElseFilter rule parsing allows unauthenticated remote attackers to crash the server via a crafted SLD.
Vulnerability
A NULL pointer dereference vulnerability exists in MapServer's SLD parsing code, specifically in msSLDParseUserStyle within src/mapogcsld.cpp. When processing a ` element that contains , the code unconditionally calls _SLDApplyRuleValues(psRule, psLayer, 1), assuming that msSLDParseRule has added exactly one new class. However, if the rule contains no symbolizer (a structurally valid SLD), msSLDParseRule adds zero classes. The subsequent call to _SLDApplyRuleValues then indexes psLayer->_class[psLayer->numclasses - 1], which evaluates to _class[-1] when numclasses` is 0, resulting in a NULL pointer dereference. This affects MapServer versions from 6.4.0 up to (but not including) 8.6.3 [1].
Exploitation
An unauthenticated attacker can trigger the vulnerability by sending a crafted SLD document via the WMS SLD_BODY= parameter. The SLD need only be approximately 200 bytes and contain a ` with ` and no symbolizer. No authentication or user interaction is required; the WMS handler directly processes the SLD, reaching the vulnerable code path [1].
Impact
Successful exploitation causes a NULL pointer dereference, leading to a denial of service (crash) of the MapServer process. No evidence of code execution or information disclosure is present in the available references. The crash is immediate upon processing the malicious SLD [1].
Mitigation
The vulnerability is fixed in MapServer version 8.6.3, released on 2026-05-27. Users should upgrade to 8.6.3 or later. No workarounds are documented, and the issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Hardcoded class delta of 1 in the `<ElseFilter/>` branch assumes `msSLDParseRule` always adds a class, but a rule with no symbolizer adds zero, causing an out-of-bounds index of -1 into `_class`."
Attack vector
An unauthenticated attacker sends a WMS `GetMap` request with a 200-byte well-formed SLD payload via the `SLD_BODY=` parameter (or `SLD=` URL variant). The SLD contains a `<Rule>` with only `<ElseFilter/>` and no symbolizer — structurally valid per the SLD schema. The WMS handler at `src/mapwms.cpp:1896` calls `msSLDApplySLD` without sanitization, which reaches `msSLDParseUserStyle`. The `if (psElseFilter)` block calls `_SLDApplyRuleValues` with a hardcoded delta of 1, but `msSLDParseRule` added zero classes (no symbolizer found), causing a NULL pointer dereference at index -1 [ref_id=1]. The `wms_sld_enabled` setting defaults to true, so no special configuration is required [ref_id=1].
Affected code
The bug resides in `src/mapogcsld.cpp` (or `mapogcsld.c` in older series) inside `msSLDParseUserStyle`. The vulnerable block is at lines 930-937, where `_SLDApplyRuleValues(psRule, psLayer, 1);` is called unconditionally for any `<Rule>` carrying `<ElseFilter/>`, assuming `msSLDParseRule` added exactly one class. The crash site is `_SLDApplyRuleValues` at line 754-755, which indexes `psLayer->_class[psLayer->numclasses - 1 - i]` — when `numclasses` is 0, the index is -1 [ref_id=1].
What the fix does
The advisory recommends computing the actual class delta instead of asserting 1, mirroring the regular-rule branch: record `psLayer->numclasses` before calling `msSLDParseRule`, compute `added` as the difference afterward, and only call `_SLDApplyRuleValues` and set `isfallback` when `added > 0` [ref_id=1]. This closes the vulnerability by ensuring the code never indexes `_class[-1]` when no symbolizer was present. The fix is included in MapServer 8.6.3 [ref_id=1].
Preconditions
- networkThe WMS endpoint must be reachable by the attacker
- configwms_sld_enabled must not be explicitly set to false (default is true)
- authNo authentication is required
- inputAttacker supplies a well-formed SLD payload with and no symbolizer
Reproduction
**Path A — via mapserv WMS GetMap:** ```bash curl -v --get \ --data-urlencode "map=/path/to/test.map" \ --data-urlencode "SERVICE=WMS" \ --data-urlencode "VERSION=1.1.1" \ --data-urlencode "REQUEST=GetMap" \ --data-urlencode "LAYERS=x" \ --data-urlencode "SRS=EPSG:4326" \ --data-urlencode "BBOX=-180,-90,180,90" \ --data-urlencode "WIDTH=256" --data-urlencode "HEIGHT=256" \ --data-urlencode "FORMAT=image/png" \ --data-urlencode "SLD_BODY@payload.xml" \ "http://localhost/cgi-bin/mapserv" ```
**Path B — standalone harness calling `msSLDApplySLD` directly:** Compile with ASan/UBSan and run `./poc_sld_elsefilter` [ref_id=1].
**Payload (`payload.xml`):** ```xml <?xml version="1.0"?> <StyledLayerDescriptor xmlns="http://www.opengis.net/sld" version="1.0.0"> <NamedLayer><Name>x</Name><UserStyle><FeatureTypeStyle><Rule> <ElseFilter/> </Rule></FeatureTypeStyle></UserStyle></NamedLayer> </StyledLayerDescriptor> ```
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.