CVE-2024-24254 is a race condition vulnerability identified in PX4 Autopilot versions 1.14 and earlier. PX4 is an open-source flight control software widely used in drones and unmanned aerial vehicles (UAVs). The vulnerability arises due to the lack of proper synchronization mechanisms when loading geofence data within the source files geofence.cpp and mission_feasibility_checker.cpp. Specifically, this race condition can cause the drone to upload overlapping geofences and mission routes. Geofences are virtual boundaries that restrict drone flight to authorized areas, and mission routes define the drone's flight path. Overlapping geofences and mission routes can lead to inconsistent or conflicting flight restrictions and mission parameters, potentially causing the drone to violate no-fly zones or execute unintended flight paths. The CVSS 3.1 base score is 4.2, indicating a medium severity level. The vector string (AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L) indicates that the vulnerability is remotely exploitable over the network, requires low privileges, high attack complexity, no user interaction, and impacts integrity and availability but not confidentiality. The weakness is classified under CWE-362 (Race Condition), which typically involves improper handling of concurrent operations leading to unpredictable behavior. No known exploits are reported in the wild, and no patches have been linked yet. This vulnerability could be exploited by an attacker with network access and low privileges to cause mission planning inconsistencies, potentially disrupting drone operations or causing safety hazards.

For European organizations utilizing PX4-based drones, especially in sectors such as agriculture, infrastructure inspection, delivery services, and public safety, this vulnerability poses a risk of operational disruption. Overlapping geofences and mission routes can cause drones to inadvertently enter restricted or hazardous areas, violating regulatory compliance and potentially causing physical damage or safety incidents. This could lead to financial losses, reputational damage, and regulatory penalties under frameworks like the EU Drone Regulation (EU) 2019/947. Additionally, critical infrastructure monitoring or emergency response drones could be compromised in their mission integrity, impacting public safety. Although the vulnerability does not directly expose confidential data, the integrity and availability of drone missions are affected, which can have cascading effects on dependent systems and services. The medium severity suggests a moderate risk, but the impact could be significant in safety-critical applications.

European organizations should implement the following specific mitigations: 1) Immediately audit PX4 Autopilot versions in use and identify any deployments running version 1.14 or earlier. 2) Monitor PX4 project repositories and security advisories for official patches addressing CVE-2024-24254 and apply updates promptly once available. 3) Until patches are released, implement operational controls such as restricting network access to drone control interfaces to trusted personnel and networks only, minimizing exposure to remote exploitation. 4) Introduce additional validation and verification steps in mission planning workflows to detect overlapping geofences or conflicting mission routes before deployment. 5) Employ runtime monitoring and anomaly detection on drone telemetry to identify unexpected flight behaviors indicative of exploitation. 6) Engage with drone manufacturers or integrators to confirm if customized PX4 versions are affected and request vendor-specific mitigations or updates. 7) Train drone operators on the risks of race conditions in mission planning and enforce strict procedures for mission data handling. These measures go beyond generic advice by focusing on operational controls, validation, and vendor engagement tailored to PX4-based drone environments.