Steve Macenski

**Name of the Vulnerable Software and Affected Versions** navigation2 versions prior to 1.3.11 **Description** navigation2 is a ROS 2 Navigation Framework and System. A heap out-of-bounds write issue exists in Nav2 AMCL’s particle filter clustering logic. An unauthenticated attacker on the same ROS 2 DDS domain can trigger a negative index write into heap memory by publishing a crafted `geometry msgs/PoseWithCovarianceStamped` message to the `/initialpose` topic. The message must contain extreme covariance values. In Release builds, runtime protection is disabled. This allows controlled corruption of heap chunk metadata, potentially leading to further exploitation or a denial of service that halts navigation. The vulnerable code attempts to access `set->clusters[-1]`. **Recommendations** Update to a version later than 1.3.11.