CVE-2024-51394 Overview
CVE-2024-51394 is a buffer overflow vulnerability in ArduPilot Copter at commit 92693e023793133e49a035daf37c14433e484778. The flaw resides in the AP_MSP::loop function within the AP_MSP.cpp component. A local attacker with low privileges can exploit the issue to trigger a denial of service against the autopilot firmware. The vulnerability is tracked under CWE-119, covering improper restriction of operations within memory buffer bounds. ArduPilot is widely deployed on unmanned aerial vehicles, ground rovers, and marine vessels, which makes runtime stability of the MultiWii Serial Protocol (MSP) telemetry handler a safety-relevant concern.
Critical Impact
A local attacker can crash the ArduPilot Copter flight stack by abusing the AP_MSP::loop handler, disrupting telemetry and autopilot availability on affected builds.
Affected Products
- ArduPilot Copter at commit 92693e023793133e49a035daf37c14433e484778
- AP_MSP module within the ArduPilot codebase
- AP_MSP.cpp source file implementing the AP_MSP::loop handler
Discovery Timeline
- 2026-05-13 - CVE-2024-51394 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2024-51394
Vulnerability Analysis
The vulnerability is a buffer overflow in the ArduPilot Copter implementation of the MultiWii Serial Protocol. The defect lives in AP_MSP::loop, the routine that processes inbound MSP frames on a serial channel. Improper bounds enforcement on incoming protocol data allows memory adjacent to the parsing buffer to be overwritten. The result is a deterministic crash of the autopilot process and loss of availability for any consumer of MSP telemetry. The issue is local in scope because MSP traffic is delivered over a serial transport rather than a network socket, requiring physical or local access to the connected interface.
Root Cause
The root cause is missing or insufficient length validation while parsing MSP frames inside AP_MSP::loop. When the protocol decoder accepts a payload that exceeds the size of its destination buffer, writes overflow the allocated region. This pattern matches [CWE-119], improper restriction of operations within the bounds of a memory buffer. Refer to the ArduPilot GitHub issue discussion for the reporter's reproduction details and additional context.
Attack Vector
Exploitation requires local, low-privileged access to the serial interface that feeds the MSP subsystem. An attacker connects to the MSP UART or USB-to-serial endpoint and submits a crafted frame whose declared or implicit length drives the parser past the bounds of its receive buffer. The impact is limited to denial of service. The CVSS vector indicates no confidentiality or integrity impact, only availability loss, and no user interaction is required to land the payload once a connection exists.
No verified proof-of-concept code is published. See the ArduPilot GitHub issue discussion for technical specifics shared by the reporter.
Detection Methods for CVE-2024-51394
Indicators of Compromise
- Unexpected restarts, watchdog resets, or crash dumps generated by the ArduPilot Copter firmware on vehicles using MSP telemetry.
- Log entries from the autopilot indicating faults originating in the AP_MSP module or AP_MSP.cpp translation unit.
- Anomalous serial traffic on the MSP UART containing malformed frames or oversized payload length fields.
Detection Strategies
- Compare the running ArduPilot Copter build hash against 92693e023793133e49a035daf37c14433e484778 to identify exposed devices.
- Instrument the MSP parser path with bounds-check assertions during development builds to catch oversized payloads before they corrupt memory.
- Monitor ground control station logs for repeated link drops correlated with MSP packets sourced from untrusted peripherals.
Monitoring Recommendations
- Centralize ArduPilot telemetry and crash logs and alert on sustained reboot loops affecting flight-critical vehicles.
- Track serial connection events from peripherals such as OSD or video transmitters that speak MSP to the autopilot.
- Validate firmware integrity at boot to confirm vehicles are running a patched ArduPilot build.
How to Mitigate CVE-2024-51394
Immediate Actions Required
- Identify ArduPilot Copter deployments built from commit 92693e023793133e49a035daf37c14433e484778 or earlier with the same defect.
- Restrict physical access to MSP-capable UARTs and USB ports on affected vehicles and bench setups.
- Disable the MSP protocol on serial ports where it is not strictly required for OSD or peripheral integration.
Patch Information
No official fixed-version advisory is referenced in the NVD record at the time of publication. Track remediation progress through the upstream ArduPilot GitHub issue discussion and rebuild from a commit that includes hardened bounds checking in AP_MSP::loop.
Workarounds
- Set the relevant SERIALn_PROTOCOL parameter to a value other than MSP on ports that do not require the protocol.
- Use only trusted peripherals on MSP-enabled UARTs and remove unused serial breakouts from production airframes.
- Rebuild ArduPilot from current master once a fix lands and validate the MSP parser with fuzzed input before redeployment.
# Configuration example: disable MSP on a serial port via MAVLink parameter set
# Replace N with the target serial port index on your vehicle
param set SERIALN_PROTOCOL 0
param fetch SERIALN_PROTOCOL
reboot
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
