CVE-2026-26011
- Source
- https://cve.org/CVERecord?id=CVE-2026-26011
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26011.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-26011
- Aliases
-
- GHSA-mgj5-g2p6-gc5x
- Published
- 2026-02-12T20:42:50.758Z
- Modified
- 2026-04-12T20:23:15.474583Z
- Severity
-
- 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Critical Heap Out-of-bounds Access in `pf_cluster_stats()` via Malicious /initialpose Covariance -- Potential Remote Code Execution
- Details
-
navigation2 is a ROS 2 Navigation Framework and System. In 1.3.11 and earlier, a critical heap out-of-bounds write vulnerability exists in Nav2 AMCL's particle filter clustering logic. By publishing a single crafted geometry_msgs/PoseWithCovarianceStamped message with extreme covariance values to the /initialpose topic, an unauthenticated attacker on the same ROS 2 DDS domain can trigger a negative index write (set->clusters[-1]) into heap memory preceding the allocated buffer. In Release builds, the sole boundary check (assert) is compiled out, leaving zero runtime protection. This primitive allows controlled corruption of the heap chunk metadata(at least the size of the heap chunk where the set->clusters is in is controllable by the attacker), potentially leading to further exploitation. At minimum, it provides a reliable single-packet denial of service that kills localization and halts all navigation.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26011.json", "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-122", "CWE-787" ] }- References
-
- https://github.com/ros-navigation/navigation2/releases/tag/1.3.11
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26011.json
- https://github.com/ros-navigation/navigation2/security/advisories/GHSA-mgj5-g2p6-gc5x
- https://nvd.nist.gov/vuln/detail/CVE-2026-26011
- https://github.com/ros-navigation/navigation2/commit/d09ea82477ce9234678a6febf6890235e0a7ce12
Affected packages
Git / github.com/ros-navigation/navigation2
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ros-navigation/navigation2
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.2.0
1.*
1.3.0
1.3.1
1.3.10
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26011.json"
vanir_signatures_modified
"2026-04-12T20:23:15Z"
vanir_signatures
[
{
"target": {
"file": "nav2_controller/src/controller_server.cpp"
},
"id": "CVE-2026-26011-03740ce6",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"184938690731078541213341683942766477966",
"278752103734718734161701353765058012983",
"194160951054655719625616289370122743317",
"16962547820181151326063743159613300462",
"125644218154586075805005298186550244755",
"228989227709522748414145142699507281090",
"291335639850362619702488640778693588508",
"188793242138073563891912399934153267073",
"92940985107211310881054203440626402484",
"62848932255758963723179181578054680819",
"319032029330339060424344676791979935771",
"331784101078890577243569739369328401099",
"116696975967478395839393148093954084383",
"68202340869636830556686367207126043755",
"176958351276831494706163372035161480025",
"57922355886813772683943839687323716879",
"211449717900362405032830921304865919974",
"219214366219669432780914981174458418222",
"247420397571544302152984976783998847902",
"320024796247463648071867529363048457257",
"225562421927557341623011597803114601993",
"284042377492586518246974689658382917496",
"212410781577250884720375944306929501808",
"178736927123019664897860717652560290114",
"2724158956476947050395688829942272418"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_costmap_2d/src/costmap_layer.cpp"
},
"id": "CVE-2026-26011-1ed49880",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"1418419869167351809476314638017582934",
"87458955841190821912850390875469392598",
"176738303410212830826362081107997934772",
"296073021777538811541773073985794115482"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_bt_navigator/src/navigators/navigate_through_poses.cpp"
},
"id": "CVE-2026-26011-3117a8d9",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"221085970277177771850107795266821989483",
"279111655958064685645665972257303285085",
"266429775533256016176917409154734543401",
"273456872709279721593178437869886706561",
"36613932903454414883199626397386885247",
"82259657772594623053384972402685090608",
"259947725896187003766921935282958358702",
"260099396563256529810034339966007365083",
"163381654276452890348922156442010347917",
"199076191754095014064197726586066811968",
"207065264280569520280643580184533765123",
"67525486575373938554980134421517580367"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_controller/src/controller_server.cpp",
"function": "ControllerServer::on_configure"
},
"id": "CVE-2026-26011-3eea94ec",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 6335.0,
"function_hash": "143365159180999356524622109321185770163"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_behavior_tree/src/behavior_tree_engine.cpp"
},
"id": "CVE-2026-26011-43a52f7e",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"250135974371569700446712003899414371408",
"319617203917606887410695439610740306688",
"160505235960319162671211223038276023203",
"252801628875871459175244241253314337937"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_costmap_2d/src/layered_costmap.cpp",
"function": "LayeredCostmap::updateMap"
},
"id": "CVE-2026-26011-4dcf4bd0",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 3822.0,
"function_hash": "284463979416921661804411085901845550390"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_controller/src/controller_server.cpp",
"function": "ControllerServer::computeAndPublishVelocity"
},
"id": "CVE-2026-26011-51875c79",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 2240.0,
"function_hash": "321335251677666167985582684585732642674"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_mppi_controller/src/optimizer.cpp",
"function": "Optimizer::fallback"
},
"id": "CVE-2026-26011-7fb29468",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 278.0,
"function_hash": "263509445377856124582872986250939270050"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_costmap_2d/src/costmap_2d_publisher.cpp"
},
"id": "CVE-2026-26011-8de9e4df",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"190254479633538628734606539835081549474",
"191930637701461825668230515416320047001",
"333435192751184639029592112642556724815",
"243313589654539487379282174386577658736",
"113456942678812366046262029490732426288",
"182161201823353646583411821617083559436",
"71113251973380516107518243800333440119",
"121483292444806350675421635317917043319",
"92278406861666968099793166578401571668"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_controller/src/controller_server.cpp",
"function": "ControllerServer::updateGlobalPath"
},
"id": "CVE-2026-26011-93e1fa96",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1331.0,
"function_hash": "18948286047972141693914084825969118000"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_costmap_2d/src/costmap_2d_publisher.cpp",
"function": "Costmap2DPublisher::Costmap2DPublisher"
},
"id": "CVE-2026-26011-9de85cdd",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1657.0,
"function_hash": "115469966445112886426102960845811834485"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_costmap_2d/src/layered_costmap.cpp"
},
"id": "CVE-2026-26011-a6606d9b",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"257991385782021322273602173714975680593",
"261432833147077277146859052699753394962",
"276730651300438469570512203040491534951",
"30604939232595195566552052659870003887",
"49947732055287269257834500795238013299",
"235812296936517870950377087690403291463",
"131276277110891763046682924918409542050",
"322137146394629353201681018623956738988",
"265936687092377433834869854702570339010",
"314808659061270602047497040697364505171",
"334713099435150705460638957325245701652",
"14945527769816437372268637937657222535",
"166088013018713358149070872764455677799"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_bt_navigator/src/navigators/navigate_through_poses.cpp",
"function": "NavigateThroughPosesNavigator::onPreempt"
},
"id": "CVE-2026-26011-aadcf984",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1174.0,
"function_hash": "340150534524509202089848609727227033330"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_costmap_2d/include/nav2_costmap_2d/costmap_2d_publisher.hpp"
},
"id": "CVE-2026-26011-bb4eb203",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"312978829267391187892964977782123214419",
"116536993936906646032622021510354636084",
"331352717865840619297581175949762674921",
"90644811769703725242940831398177160923",
"185554344490223697087645766761782354576",
"208497879347123512972162016417676439407",
"227515789400807818193811123198055812493",
"314268384271237941278946526987337633202",
"108684182915548151772524588437006985401",
"26479378422969864702264866087706120322",
"95728045784725126764683463339012946976",
"163044163989503343501403821614868015403"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_controller/src/controller_server.cpp",
"function": "ControllerServer::computeControl"
},
"id": "CVE-2026-26011-bf164f5b",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 5093.0,
"function_hash": "98315016806292638829994614746448372394"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_controller/src/controller_server.cpp",
"function": "ControllerServer::findProgressCheckerId"
},
"id": "CVE-2026-26011-c3342dc2",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 929.0,
"function_hash": "127908320515842517734490080829948984133"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_costmap_2d/src/layered_costmap.cpp",
"function": "LayeredCostmap::resizeMap"
},
"id": "CVE-2026-26011-e6430809",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 713.0,
"function_hash": "96697931298364589381301966459028802610"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_mppi_controller/src/optimizer.cpp"
},
"id": "CVE-2026-26011-f2754779",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Line",
"deprecated": false,
"digest": {
"threshold": 0.9,
"line_hashes": [
"114314002479011527831265361901543027994",
"76218348715422160039385074774873094129",
"136139115840466820016755845912577843946",
"205442764827980058039560390755068439527",
"314630958694002763766732715021841924879",
"172524095411368974975594625922722568603",
"239609077674247519572197640408660571036",
"173488077592728817658655456677907280394"
]
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_mppi_controller/src/optimizer.cpp",
"function": "Optimizer::setSpeedLimit"
},
"id": "CVE-2026-26011-f51aa466",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1019.0,
"function_hash": "57382359513541625747408618490293100565"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_costmap_2d/src/costmap_2d_publisher.cpp",
"function": "Costmap2DPublisher::publishCostmap"
},
"id": "CVE-2026-26011-fb0fd520",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 1087.0,
"function_hash": "16272088478605286326441525205276077173"
},
"signature_version": "v1"
},
{
"target": {
"file": "nav2_costmap_2d/src/costmap_layer.cpp",
"function": "CostmapLayer::matchSize"
},
"id": "CVE-2026-26011-fc1fc0c0",
"source": "https://github.com/ros-navigation/navigation2/commit/6e0958affab9bc6c2367aa68c3bead164c2bc697",
"signature_type": "Function",
"deprecated": false,
"digest": {
"length": 305.0,
"function_hash": "269836189709096460952011953100154204450"
},
"signature_version": "v1"
}
]