How is CVE-2026-45104 exploited?

Network reachability (required): The vulnerable WMS endpoint must be reachable over the network; an attacker sends a crafted SLD_BODY parameter in a standard HTTP request to trigger the crash. Authentication (not-required): No credentials or session token are needed; the WMS SLD_BODY parameter is processed before any authentication check. Victim interaction (not-required): No user interaction is required; the crash is triggered entirely by the attacker's inbound HTTP request. Attack complexity (info): Exploitation is reliable and condition-free; a 200-byte well-formed SLD document is sufficient to reproduce the NULL pointer dereference on any affected version.

What is the impact of CVE-2026-45104?

Crashes the MapServer worker process handling the malicious request, taking the WMS endpoint offline. Repeated requests can sustain a denial-of-service condition, making all map rendering and WMS query functionality unavailable to legitimate users. No confidentiality or data-integrity impact is indicated by the CVSS vector; stored data is not read or modified by this exploit.

Back to search

HIGHCVE-2026-45104Published 2026-05-27Modified 2026-05-27CNA GitHub_M

CVE-2026-45104: MapServer: NULL pointer dereference in SLD `<ElseFilter>` rule parsing reachable via WMS `SLD_BODY`

MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> — it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A NULL pointer dereference vulnerability in MapServer affects the SLD ElseFilter rule parser, reachable versions 6.4.0 through 8.6.3. The flaw is triggered over the network with no authentication by sending a small, well-formed SLD document via the WMS SLD_BODY parameter; the parser incorrectly assumes at least one symbolizer class exists in an ElseFilter rule and indexes into a negative offset, crashing the process. Successful exploitation causes a denial of service by taking down the MapServer process. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-45104 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built MapServer images, in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard scores this CVE at CVSS 7.5 HIGH (v3.1) and is capable of weighting that score against each customer environment's compliance policy to surface it at the appropriate severity tier, routing findings to the correct team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a corrected release. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads as soon as a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable WMS endpoint must be reachable over the network; an attacker sends a crafted SLD_BODY parameter in a standard HTTP request to trigger the crash.
AuthenticationNot required
No credentials or session token are needed; the WMS SLD_BODY parameter is processed before any authentication check.
Victim interactionNot required
No user interaction is required; the crash is triggered entirely by the attacker's inbound HTTP request.
Attack complexityDetail
Exploitation is reliable and condition-free; a 200-byte well-formed SLD document is sufficient to reproduce the NULL pointer dereference on any affected version.

Blast Radius

Crashes the MapServer worker process handling the malicious request, taking the WMS endpoint offline.
Repeated requests can sustain a denial-of-service condition, making all map rendering and WMS query functionality unavailable to legitimate users.
No confidentiality or data-integrity impact is indicated by the CVSS vector; stored data is not read or modified by this exploit.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45104 is active across customer environments scanning MapServer images, including any custom-built derivatives that bundle an affected version (6.4.0 through 8.6.3). Because no upstream patch has been published yet, HarborGuard re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild automatically once the MapServer project ships a fix. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict WMS endpoint exposure to trusted source ranges, egress filtering on MapServer containers, and feature-flag gating to disable SLD_BODY processing where the feature is not required by the workload. For customers with auto-remediation enabled, the full rebuild, regression-test, and PR flow will activate without manual intervention the moment a fix version is confirmed upstream.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

MapServer / MapServer
>= 6.4.0, < 8.6.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/MapServer/MapServer/security/advisories/GHSA-4h8g-378q-r75m