Open Robotics Robotic Operating System 2 (ROS2) and Nav2 humble version was discovered to contain a heap overflow in the nav2_amcl process. This vulnerability is triggered via sending a crafted message to the component /initialpose.
The vulnerability consists of a heap buffer overflow (heap overflow, CWE-787, CWE-120) in the nav2_amcl process, which is responsible for robot localization using the Monte Carlo method. An attacker sends a specially crafted network message to the ROS2 /initialpose topic, causing data to be written beyond the boundaries of the allocated heap buffer. Due to the lack of authentication requirements and low attack complexity, the exploit can be performed remotely without any privileges.
Successful exploitation of the vulnerability may allow an attacker to achieve remote code execution (RCE), cause a crash of the robot's navigation process, or take control of the system — which in robotic environments may lead to physical consequences. The vulnerability provides complete impact on confidentiality, integrity, and availability of the system (CVSS C:H/I:H/A:H).
Patches available from the vendor should be applied according to references — the fix pull request is available in the ros-navigation/navigation2 repository (PR #4301). It is also recommended to restrict network access to the /initialpose topic exclusively to trusted senders using access control mechanisms or network-level firewall rules.
Open Robotics Robot Operating System 2 (ROS2) and Nav2 in the humble version
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HOpenrobotics Robot Operating System
APPOpenrobotics2
Related vulnerabilities
Use-after-free w ROS2 Nav2 — zdalny atak przez zmianę parametru AMCL
Use-after-free w ROS2 Nav2 humble poprzez proces nav2_amcl
Use-after-free w ROS2 Nav2 — zdalny atak przez parametr /amcl z_rand
Use-after-free w ROS2 Nav2 humble — zdalny exploit przez nav2_amcl
Use-after-free w ROS2 Nav2 humble via proces nav2_amcl