CVE-2024-30964

Vulnerability

Details

The ROS2 Navigation2 package (nav2_amcl) contains an insecure permissions vulnerability that can lead to a use-after-free condition when the node improperly shuts down its initial_pose_sub_ subscriber thread [2]. The bug occurs because the subscriber for the /initial_pose topic is not completely closed before the node cleanup, leaving a window where the callback function can still access freed memory [1][2].

Exploitation

A local attacker can exploit this by sending crafted geometry_msgs::PoseWithCovarianceStamped messages to the /initial_pose topic at intervals, then sending a shutdown signal (Ctrl+C) while messages continue to arrive [2]. The timing mismatch between message processing and node shutdown triggers a heap-use-after-free, which AddressSanitizer (ASAN) reports as a read of size 4 in pf_kdtree_insert called from AmclNode::handleInitialPose [2]. No authentication is required to publish to this topic on a local system.

Impact

Successful exploitation can allow a local attacker to execute arbitrary code with the privileges of the Navigation2 process. The CVSS v3 base score is 7.8 (High), reflecting the potential for code execution alongside the need for local access [description]. The vulnerability affects ROS2 Humble distribution and the associated Navigation2 Humble package [2].

Mitigation

A fix was merged in pull request #4176, which completely shuts down the initial_pose_sub_ subscriber to avoid the use-after-free [1]. Users are advised to update their Navigation2 packages to the patched version (commit ae6a5e5 or later) [1]. No workarounds are documented for unpatched versions; limiting local access is a partial mitigation.