CVE-2024-24255 is a medium-severity race condition vulnerability identified in the PX4 Autopilot software, specifically within the geofence.cpp and mission_feasibility_checker.cpp components. PX4 Autopilot is an open-source flight control software widely used in drones and unmanned aerial vehicles (UAVs). The race condition arises when concurrent processes or threads access shared resources without proper synchronization, leading to unpredictable behavior. In this case, the flaw allows an attacker to manipulate the timing of operations related to geofencing and mission feasibility checks, potentially causing the drone to execute unintended missions. This could mean bypassing geographic restrictions or safety checks designed to prevent drones from entering restricted airspace or performing unauthorized tasks. The vulnerability has a CVSS 3.1 base score of 4.2, indicating a medium severity level. The vector indicates that the attack can be performed remotely (AV:N), requires high attack complexity (AC:H), low privileges (PR:L), no user interaction (UI:N), and impacts integrity and availability to a limited extent (I:L, A:L). No known exploits are currently reported in the wild, and no patches have been linked yet. The underlying weakness is classified as CWE-362 (Race Condition), which is a common concurrency issue in software development. Given the critical role of PX4 in drone navigation and mission execution, this vulnerability could be exploited to disrupt drone operations or cause drones to violate regulatory constraints, posing safety and security risks.

For European organizations, the impact of this vulnerability could be significant, especially for entities relying on PX4-based drones for commercial, industrial, or governmental purposes. Potential impacts include unauthorized drone missions that could violate EU airspace regulations, leading to legal and regulatory consequences. Critical infrastructure operators using drones for inspection or surveillance might face operational disruptions or safety hazards if drones are diverted or misdirected. The integrity of data collected by drones could be compromised if missions are altered, affecting decision-making processes. Additionally, availability impacts could arise if drones are forced into unintended behaviors, potentially causing crashes or loss of assets. Given the increasing adoption of drones in sectors such as agriculture, logistics, emergency response, and law enforcement across Europe, this vulnerability could undermine trust in drone operations and pose risks to public safety and privacy.

To mitigate this vulnerability, European organizations should first monitor PX4 project communications and security advisories for official patches or updates addressing CVE-2024-24255 and apply them promptly. In the absence of patches, organizations should implement strict operational controls, such as limiting network access to drone control interfaces to trusted sources only and employing strong authentication and encryption for command and control channels to reduce the risk of remote exploitation. Conduct thorough code reviews and testing of custom PX4 implementations to identify and fix race conditions. Employ runtime monitoring and anomaly detection to identify unexpected drone behaviors indicative of exploitation attempts. Additionally, enforce geofencing at multiple layers, including hardware and external control systems, to provide defense-in-depth against mission manipulation. Training drone operators to recognize and respond to anomalous drone behavior can also reduce operational risks. Finally, collaborate with regulatory bodies to ensure compliance with evolving drone security standards.