Use-After-Free Vulnerability in ROS2 and Nav2 humble Versions
CVE-2024-38921

9.8CRITICAL

Key Information:

Vendor: Open Robotics
Status: Robot Operating System
Vendor: CVE Published:; 6 December 2024

🔔 Create Open Robotics Vulnerability Alert

What is CVE-2024-38921?

The Open Robotics Robotic Operating System 2 (ROS2) and Nav2 humble versions are susceptible to a use-after-free vulnerability related to the nav2_amcl process. This flaw can be exploited remotely by sending a request to modify the value of the dynamic parameter '/amcl z_rand'. Successful exploitation may lead to unintended behavior or crashes, posing significant security risks to robotics applications using these systems. Immediate attention and remedies are crucial to mitigate potential attacks stemming from this vulnerability.

References

https://github.com/ros-navigation/navigation2/issues/4379

https://github.com/ros-navigation/navigation2/pull/4397

https://github.com/GoesM/ROS-CVE-CNVDs

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 6, 2024