PX4 PX4-Autopilot Use-After-Free Vulnerability in Mavlink Shell Handling

A use-after-free vulnerability has been identified in PX4 PX4-Autopilot versions through 1.15.4. The issue arises in the MavlinkReceiver::handle_message_serial_control function within the mavlink_receiver.cpp file. This vulnerability is caused by unsynchronized access to the _mavlink_shell pointer, which is shared between two threads. One thread may close the shell and free the pointer while the other thread is still using it, leading to potential exploitation. This vulnerability requires local access to exploit and is considered to have a high complexity.

Impact

Exploitation of this vulnerability leads to a classic use-after-free condition, where a program continues to use a pointer after the memory it points to has been freed. This can result in memory corruption, crashes, or the execution of arbitrary code.

Remediation

Users are advised to update to the latest version of PX4-Autopilot, where this vulnerability has been patched. The patch is available on the official PX4 GitHub repository.