Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Unauthenticated ROS topics give PR:N and a single crafted message gives AC:L; impact is a controller crash (A:H) with no confidentiality or integrity effect, though AV:N assumes ROS network reachability.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
An improper input validation in the gazebo_ros_diff_drive.cpp component of gazebo_plugins v3.9.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted geometry_msgs::Twist message.
AnalysisAI
Denial of service in the gazebo_plugins package (v3.9.0), specifically the differential-drive controller gazebo_ros_diff_drive.cpp, lets attackers crash the affected simulation/robot-control node by publishing a specially crafted geometry_msgs::Twist velocity command. Any actor able to reach the relevant ROS topic can trigger the fault because the plugin fails to validate the incoming message before processing it (CWE-20). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to be able to publish a crafted geometry_msgs::Twist message onto the ROS topic consumed by the gazebo_ros_diff_drive controller in gazebo_plugins 3.9.0 - i.e., network reachability to the ROS graph/master (ROS 1 topics are unauthenticated by default, matching PR:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and point to a real but low-urgency issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the ROS network (e.g., a foothold on the robot LAN or an exposed ROS master) publishes a crafted geometry_msgs::Twist message to the diff-drive command topic, causing the gazebo_ros_diff_drive plugin to crash and denying control/simulation availability. Because the transport is unauthenticated and the trigger is a single scriptable message (SSVC Automatable=yes), no privileges or user interaction are needed; a public proof-of-concept video and write-up demonstrate the crash. |
| Remediation | No vendor-released patched version is identified in the provided data at time of analysis, and EUVD does not enumerate a fixed release, so track the gazebo_plugins/gazebo_ros upstream project for a corrected release and upgrade off 3.9.0 once published. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running gazebo_plugins v3.9.0 and assess operational criticality; implement access controls restricting ROS topic publishers to authorized systems only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41221
GHSA-866x-255q-hx3g