| Title | PX4 PX4-Autopilot main and v1.15.4 Race Condition in File Access |
|---|
| Description | The issue stems from unsynchronized access to the _mavlink_shell pointer shared between:
MavlinkReceiver::handle_message_serial_control() — which may call get_shell() and close_shell(), and
Mavlink::task_main() — which periodically checks _mavlink_shell->available() to send serial output back via MAVLink.
When one thread deletes the _mavlink_shell instance via close_shell() (on receiving a SERIAL_CONTROL without the RESPOND flag), the other thread may still dereference the freed pointer during its polling loop.
This results in a classic use-after-free triggered under specific timing conditions. |
|---|
| Source | ⚠️ https://github.com/PX4/PX4-Autopilot/pull/25082 |
|---|
| User | 0x20z (UID 81279) |
|---|
| Submission | 07/29/2025 11:59 (11 months ago) |
|---|
| Moderation | 08/14/2025 08:01 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 320081 [PX4 PX4-Autopilot up to 1.15.4 Mavlink Shell Closing mavlink_receiver.cpp handle_message_serial_control _mavlink_shell use after free] |
|---|
| Points | 20 |
|---|