Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-45104
7.5 HIGH
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): None (N)
- Integrity (I): None (N)
- Availability (A): High (H)
- Modified Attack Vector (MAV): Network (N)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): None (N)
- Modified Confidentiality (MC): None (N)
- Modified Scope (MS): Unchanged (U)
- Modified Integrity (MI): None (N)
- Modified Availability (MA): High (H)
Activity log
- Created suggestion
MapServer: NULL pointer dereference in SLD `<ElseFilter>` rule parsing reachable via WMS `SLD_BODY`
MapServer is a system for developing web-based GIS applications. From 6.4.0 to before 8.6.3, msSLDParseUserStyle always calls _SLDApplyRuleValues(psRule, psLayer, 1); for any <Rule> carrying <ElseFilter/> — it assumes msSLDParseRule added one class. When the rule has no symbolizer (a structurally valid SLD), msSLDParseRule adds zero, and _SLDApplyRuleValues ends up indexing _class[-1], resulting in a NULL pointer dereference. A 200-byte well-formed SLD via the WMS SLD_BODY= parameter is enough to trigger this, no auth required. This vulnerability is fixed in 8.6.3.
References
-
https://github.com/MapServer/MapServer/security/advisories/GHSA-4h8g-378q-r75m x_refsource_CONFIRM
Affected products
MapServer
- ==>= 6.4.0, < 8.6.3
Matching in nixpkgs
pkgs.mapserver
Platform for publishing spatial data and interactive mapping applications to the web
Package maintainers
-
@imincik Ivan Mincik <ivan.mincik@gmail.com>
-
@autra Augustin Trancart <augustin.trancart@gmail.com>
-
@nialov Nikolas Ovaskainen <nikolasovaskainen@gmail.com>
-
@nh2 Niklas Hambüchen <mail@nh2.me>
-
@willcohen Will Cohen
-
@l0b0 Victor Engmark <victor@engmark.name>
-
@sikmir Nikolay Korotkiy <sikmir@disroot.org>