CVE-2024-29460 identifies a vulnerability in the PX4 Autopilot software, specifically version 1.14.0, which is widely used in drone flight control systems. The flaw exists in the mission_block.cpp component, where the home point location can be manipulated by an attacker. This manipulation allows unauthorized alteration of the drone's flight path, potentially causing the drone to crash. The vulnerability is classified under CWE-229, indicating improper restriction of operations within the bounds of a memory buffer or data structure. Exploitation requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), with user interaction (UI:R) necessary to trigger the issue. The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component. The impact affects integrity and availability (I:H/A:H) but not confidentiality. Although no public exploits have been reported, the potential for physical damage and operational disruption is significant. The vulnerability highlights the risks in autonomous vehicle software where manipulation of navigation parameters can lead to safety hazards.

The primary impact of this vulnerability is on the integrity and availability of drone operations. By manipulating the home point location, an attacker can redirect the drone's flight path, potentially causing crashes that result in physical damage to the drone, property, or people. This can disrupt critical missions such as surveying, delivery, agriculture, or defense operations relying on PX4 Autopilot. The requirement for local access and user interaction limits remote exploitation but does not eliminate risk in environments where attackers can gain limited access or trick users into triggering the vulnerability. Organizations could face operational downtime, financial losses, and reputational damage. In defense or critical infrastructure contexts, the impact could extend to national security concerns.

To mitigate this vulnerability, organizations should first monitor PX4 Autopilot updates and apply patches once available. Until patches are released, restrict access to drone control interfaces to trusted personnel only and implement strict access controls to prevent unauthorized local access. Employ user training to reduce the risk of social engineering that could lead to malicious user interaction. Conduct thorough validation and sanitization of mission parameters, especially the home point location, within custom implementations or integrations. Consider implementing additional runtime monitoring to detect anomalous flight path changes and enable emergency override or safe landing protocols. Regularly audit drone software configurations and mission plans to ensure integrity. For critical deployments, consider isolating drone control networks from general-purpose networks to reduce attack surface.