Description
navigation2 is a ROS 2 Navigation Framework and System. In 1.3.11 and earlier, a critical heap out-of-bounds write vulnerability exists in Nav2 AMCL's particle filter clustering logic. By publishing a single crafted geometry_msgs/PoseWithCovarianceStamped message with extreme covariance values to the /initialpose topic, an unauthenticated attacker on the same ROS 2 DDS domain can trigger a negative index write (set->clusters[-1]) into heap memory preceding the allocated buffer. In Release builds, the sole boundary check (assert) is compiled out, leaving zero runtime protection. This primitive allows controlled corruption of the heap chunk metadata(at least the size of the heap chunk where the set->clusters is in is controllable by the attacker), potentially leading to further exploitation. At minimum, it provides a reliable single-packet denial of service that kills localization and halts all navigation.
Published: 2026-02-12
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A heap out‑of‑bounds write occurs in the Nav2 AMCL particle filter clustering logic when an attacker publishes a PoseWithCovarianceStamped message to the /initialpose topic containing extreme covariance values. The malicious message causes the filtering code to compute a negative index and write before the allocated buffer, corrupting the heap chunk metadata. This primitive can be leveraged to overwrite protected heap fields and potentially lead to remote code execution; at minimum the flaw causes a reliable denial of service by killing localization and halting navigation.

Affected Systems

Version 1.3.11 and earlier of the ROS 2 Navigation Framework (navigation2) from the vendor ros-navigation are affected. Users operating these releases on a ROS 2 DDS domain that allows publishing to /initialpose are in scope.

Risk and Exploitability

The vulnerability has a CVSS base score of 9.3, indicating critical severity. The EPSS score is below 1%, suggesting that industrial exploitation is currently unlikely, and the issue is not listed in CISA’s KEV catalog. However, the attack vector requires that the attacker has network access to the same ROS 2 DDS domain and can publish to /initialpose; no authentication is required. Release builds compile out the only boundary check (an assert), leaving zero runtime protection. The described corruption of heap metadata provides a foothold for adversaries to achieve remote code execution, but even without that, the uncontrolled write results in a deterministic denial of service that stops all navigation processes.

Generated by OpenCVE AI on April 17, 2026 at 19:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the navigation2 package to a release that includes the fix (v1.3.12 or newer).
  • If an immediate upgrade is not possible, whitelist or limit the covariance values accepted on the /initialpose topic, or configure the node to reject messages with covariance outside a safe range.
  • Remove or block the /initialpose topic from unauthorized publishers by isolating the ROS 2 DDS domain or setting stricter transport security so only trusted nodes can publish to it.

Generated by OpenCVE AI on April 17, 2026 at 19:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Opennav
Opennav nav2
CPEs cpe:2.3:a:opennav:nav2:*:*:*:*:*:*:*:*
Vendors & Products Opennav
Opennav nav2
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ros-navigation
Ros-navigation navigation2
Vendors & Products Ros-navigation
Ros-navigation navigation2

Fri, 13 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description navigation2 is a ROS 2 Navigation Framework and System. In 1.3.11 and earlier, a critical heap out-of-bounds write vulnerability exists in Nav2 AMCL's particle filter clustering logic. By publishing a single crafted geometry_msgs/PoseWithCovarianceStamped message with extreme covariance values to the /initialpose topic, an unauthenticated attacker on the same ROS 2 DDS domain can trigger a negative index write (set->clusters[-1]) into heap memory preceding the allocated buffer. In Release builds, the sole boundary check (assert) is compiled out, leaving zero runtime protection. This primitive allows controlled corruption of the heap chunk metadata(at least the size of the heap chunk where the set->clusters is in is controllable by the attacker), potentially leading to further exploitation. At minimum, it provides a reliable single-packet denial of service that kills localization and halts all navigation.
Title Critical Heap Out-of-bounds Access in `pf_cluster_stats()` via Malicious /initialpose Covariance -- Potential Remote Code Execution
Weaknesses CWE-122
CWE-787
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Opennav Nav2
Ros-navigation Navigation2
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-13T17:14:40.661Z

Reserved: 2026-02-09T21:36:29.553Z

Link: CVE-2026-26011

cve-icon Vulnrichment

Updated: 2026-02-13T17:14:18.790Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T21:16:03.340

Modified: 2026-02-23T17:00:05.130

Link: CVE-2026-26011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:00:09Z

Weaknesses