2482360 – (CVE-2026-45104) CVE-2026-45104 mapserver: MapServer: Denial of Service via malformed SLD in WMS SLD_BODY parameter

Bug 2482360 (CVE-2026-45104) - CVE-2026-45104 mapserver: MapServer: Denial of Service via malformed SLD in WMS SLD_BODY parameter

Summary: CVE-2026-45104 mapserver: MapServer: Denial of Service via malformed SLD in W...

Keywords:
Status:	NEW
Alias:	CVE-2026-45104
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2482505 2482506
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-27 20:01 UTC by OSIDB Bzimport
Modified:	2026-05-28 10:00 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-27 20:01:34 UTC

MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> — it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.

Note You need to log in before you can comment on or make changes to this bug.