CVE-2024-25198 – This CVE describes a use-after-free vulnerabili... (How to Fix)

📋 TL;DR

This CVE describes a use-after-free vulnerability in ROS2 Nav2's AMCL node due to incorrect pointer reset order. Attackers could exploit this to crash the navigation system or potentially execute arbitrary code. Systems running ROS2 Humble with Nav2 are affected.

💻 Affected Systems

Products:

ROS2 Navigation2 (Nav2)
ROS2 Humble

Versions: ROS2 Humble versions with vulnerable Nav2 components

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Specifically affects the AMCL (Adaptive Monte Carlo Localization) node in Nav2

📦 What is this software?

Nav2 by Opennav

View all CVEs affecting Nav2 →

Robot Operating System by Openrobotics

View all CVEs affecting Robot Operating System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, allowing attackers to take control of robotic systems or underlying infrastructure.

🟠

Likely Case

Application crash causing navigation failures in autonomous systems, potentially leading to operational disruption or safety issues.

🟢

If Mitigated

Limited impact with proper memory protection mechanisms and exploit mitigations in place.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires sending specific messages to trigger the use-after-free condition

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patched in navigation2 pull requests #4068 and #4070

Vendor Advisory: https://github.com/ros-planning/navigation2/pull/4068

Restart Required: Yes

Instructions:

1. Update ROS2 Humble installation
2. Pull latest navigation2 repository
3. Rebuild and reinstall Nav2 packages
4. Restart affected ROS2 nodes

🔧 Temporary Workarounds

Disable AMCL node

linux

Temporarily disable the vulnerable AMCL localization component

ros2 lifecycle set /amcl_node shutdown

🧯 If You Can't Patch

Implement network segmentation to isolate ROS2 systems
Deploy memory protection mechanisms like ASLR and stack canaries

🔍 How to Verify

Check if Vulnerable:

Check if amcl_node.cpp lines 331-344 contain the vulnerable pointer reset order

Check Version:

ros2 pkg list | grep navigation2

Verify Fix Applied:

Verify that laser_scan_filter_.reset() is called before tf_listener_.reset() in amcl_node.cpp

📡 Detection & Monitoring

Log Indicators:

Segmentation faults in amcl_node
Memory access violation errors
Unexpected AMCL node restarts

Network Indicators:

Unusual ROS2 topic subscriptions to AMCL
Suspicious message patterns to localization topics

SIEM Query:

process:amcl_node AND (event_id:1000 OR severity:critical)

📊 Metadata

CVE ID: CVE-2024-25198

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-416

Published: February 20, 2024

Last Updated: April 2, 2025

🔗 References

https://github.com/ros-planning/navigation2/blob/main/nav2_amcl/src/amcl_node.cpp#L331-L344 Product
https://github.com/ros-planning/navigation2/pull/4068 Exploit,Issue Tracking,Patch
https://github.com/ros-planning/navigation2/pull/4070 Issue Tracking,Patch
https://github.com/ros-planning/navigation2/blob/main/nav2_amcl/src/amcl_node.cpp#L331-L344 Product
https://github.com/ros-planning/navigation2/pull/4068 Exploit,Issue Tracking,Patch
https://github.com/ros-planning/navigation2/pull/4070 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-25198, you might also want to check these: