Cyber Posture

CVE-2024-40427

HighPublic PoC

Published: 07 January 2025

Published
07 January 2025
Modified
20 June 2025
KEV Added
Patch
CVSS Score 7.9 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H
EPSS Score 0.0023 45.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-40427 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Dronecode Px4 Drone Autopilot. Its CVSS base score is 7.9 (High).

Operationally, ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the stack buffer overflow by requiring timely remediation through patching, as evidenced by the specific GitHub commit fixing CVE-2024-40427 in PX4-Autopilot.

SI-10 Information Input Validation good match
prevent

Prevents stack buffer overflows like CWE-120 in PX4-Autopilot by enforcing validation of inputs to ensure they do not exceed buffer boundaries.

SI-16 Memory Protection good match
prevent

Addresses exploitation of the stack buffer overflow in PX4-Autopilot by implementing memory protections such as stack canaries and address space layout randomization.

NVD Description

Stack Buffer Overflow in PX4-Autopilot v1.14.3, which allows attackers to execute commands to exploit this vulnerability and cause the program to refuse to execute

Deeper analysisAI

CVE-2024-40427 is a stack buffer overflow vulnerability (CWE-120) in PX4-Autopilot version 1.14.3. Published on 2025-01-07, it carries a CVSS v3.1 base score of 7.9 (AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H), indicating high severity due to its potential for significant integrity and availability impacts without confidentiality loss.

The vulnerability can be exploited by local attackers with low privileges who trick a user into some interaction. Successful exploitation enables command execution, allowing attackers to manipulate program behavior and cause the software to refuse execution, resulting in high integrity and availability disruptions within a changed scope.

Mitigation is addressed in a patch via GitHub commit e03e0261a1a0c82f545e66a1e3795956c886db71 in the PX4-Autopilot repository. Further details on the issue and remediation are available in the associated security advisory at GHSA-55wq-2hgm-75m4.

Details

CWE(s)
CWE-120

Affected Products

dronecode
px4 drone autopilot
≤ 1.14.3

CVEs Like This One

CVE-2026-32706Same product: Dronecode Px4 Drone Autopilot
CVE-2026-26741Same product: Dronecode Px4 Drone Autopilot
CVE-2026-26742Same product: Dronecode Px4 Drone Autopilot
CVE-2026-32708Same product: Dronecode Px4 Drone Autopilot
CVE-2025-24956Shared CWE-120
CVE-2024-57482Shared CWE-120
CVE-2024-57479Shared CWE-120
CVE-2025-69807Shared CWE-120
CVE-2019-25353Shared CWE-120
CVE-2020-37050Shared CWE-120

References