{
  "variant_id": "cve-2026-33721-variant-analysis-20260528",
  "created_at": "2026-05-28T13:48:00Z",
  "variant_summary": "Systematic variant analysis of CVE-2026-33721 found no bypass or alternate trigger. The single-line fix (nValues->nThresholds in mapogcsld.cpp:2897) is logically complete. Five distinct payloads/entry points were tested on both vulnerable (rel-8-6-0) and fixed (rel-8-6-1) builds; none bypassed the fix.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "https://github.com/MapServer/MapServer",
  "submitted_target": {
    "target_kind": "git_tag",
    "commit_sha": "986c300c29055b837bfeb5f3c8e1b61583a52938",
    "version": "8.6.0",
    "ref": "rel-8-6-0",
    "display": "MapServer rel-8-6-0 (vulnerable)"
  },
  "variant_target": {
    "target_kind": "git_tag",
    "commit_sha": "292d06f99f427ff4ea54720849659cbd9f8cfef8",
    "version": "8.6.1",
    "ref": "rel-8-6-1",
    "display": "MapServer rel-8-6-1 (fixed)"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "WMS SLD_BODY/SLD parameter -> msSLDApplySLD / msSLDApplySLDURL -> msSLDParseSLD -> msSLDParseRasterSymbolizer -> se:Categorize se:Threshold parsing",
  "validated_surface": "WMS SLD_BODY/SLD parameter -> msSLDApplySLD / msSLDApplySLDURL -> msSLDParseSLD -> msSLDParseRasterSymbolizer -> se:Categorize se:Threshold parsing",
  "required_entrypoint_kind": "http_parameter",
  "required_entrypoint_detail": "Unauthenticated WMS request with SLD_BODY (inline SLD XML) or SLD (URL reference) parameter. Tested via GetMap, GetLegendGraphic, and GetStyles operations.",
  "attacker_controlled_input": "OGC SLD XML document containing a se:RasterSymbolizer/se:ColorMap/se:Categorize element with more than 100 se:Threshold children",
  "trigger_path": "WMS GetMap / GetLegendGraphic / GetStyles -> msWMSDispatch -> msSLDApplySLD or msSLDApplySLDURL -> msSLDParseSLD -> msSLDParseRasterSymbolizer -> Categorize child-element loop (mapogcsld.cpp:2881-2902)",
  "observed_impact_class": "none_found",
  "exploitability_confidence": "none",
  "evidence_scope": "code_audit_and_runtime_testing",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": false,
  "inferred": false,
  "claim_block_reason": "fix_is_logically_complete",
  "blocking_mitigation": "The patch changes the reallocation guard from nValues == nMaxThreshold to nThresholds == nMaxThreshold. The counter is incremented immediately before the guard, so the condition is now true exactly when the array is full, making overflow impossible.",
  "file_path": "src/mapogcsld.cpp",
  "line_start": 2881,
  "line_end": 2902,
  "secondary_anchors": [
    {
      "file_path": "src/mapwms.cpp",
      "line_start": 1742,
      "line_end": 1747
    },
    {
      "file_path": "src/mapwms.cpp",
      "line_start": 5272,
      "line_end": 5275
    },
    {
      "file_path": "src/mapwms.cpp",
      "line_start": 5631,
      "line_end": 5636
    }
  ],
  "review_scope_paths": [
    "src/mapogcsld.cpp",
    "src/mapwms.cpp",
    "src/mapogcfilter.cpp",
    "src/mapstring.cpp"
  ],
  "artifact_refs": {
    "variant_manifest": "vuln_variant/variant_manifest.json",
    "validation_verdict": "vuln_variant/validation_verdict.json",
    "runtime_manifest": "vuln_variant/reproduction_steps.sh",
    "repro_log": "logs/variant_run1.log",
    "root_cause_equivalence": "vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "vuln_variant/reproduction_steps.sh"
    ]
  }
}