CVE-2024-30799 is a vulnerability identified in PX4 Autopilot software version 1.14 and earlier, specifically within the Breach Return Point function. PX4 Autopilot is an open-source flight control software widely used in drones and unmanned aerial vehicles (UAVs). The vulnerability is classified under CWE-120, indicating a classic buffer overflow issue. This flaw allows a remote attacker with limited privileges (PR:L) and requiring user interaction (UI:R) to potentially execute arbitrary code or cause a denial of service (DoS). The attack vector is local (AV:L), meaning the attacker must have some form of local access, such as through a connected device or network segment. The attack complexity is high (AC:H), indicating that exploitation is not straightforward and requires specific conditions or knowledge. The vulnerability does not affect confidentiality or integrity but impacts availability by crashing or destabilizing the autopilot system. No patches or fixes have been published at the time of disclosure, and no known exploits are reported in the wild. This vulnerability poses a risk to the operational stability of drones relying on PX4, potentially leading to mission failure or loss of control.

The primary impact of CVE-2024-30799 is on the availability of PX4 Autopilot systems, which could result in denial of service or unexpected behavior during drone operations. This can lead to mission failures, loss of control, or crashes, which may have safety implications especially in critical applications such as defense, emergency response, agriculture, and infrastructure inspection. Since the vulnerability allows arbitrary code execution, there is a theoretical risk of deeper system compromise if exploited successfully, although the high attack complexity and requirement for local access limit this risk. Organizations deploying PX4-based drones could face operational disruptions, financial losses, and reputational damage if the vulnerability is exploited. The lack of patches increases the window of exposure until mitigations or updates are applied.

To mitigate CVE-2024-30799, organizations should first restrict local access to PX4 Autopilot systems by enforcing strict network segmentation and physical security controls to prevent unauthorized connections. Disable or limit the use of the Breach Return Point function if feasible until a patch is available. Monitor PX4 project repositories and security advisories closely for official patches or updates and apply them promptly once released. Implement runtime protections such as memory safety tools or sandboxing where possible to reduce the impact of buffer overflows. Conduct thorough testing of drone software updates in controlled environments before deployment. Additionally, educate operators about the risks of connecting untrusted devices or software to PX4 systems and enforce strict user interaction policies to minimize exploitation chances. Consider deploying intrusion detection systems that can identify anomalous behavior in drone control communications.