Broken in Transit: Detecting Type Confusion in ROS 2 Deserialization Via Fuzzing

The Robot Operating System 2 (ROS 2) has become the middleware backbone of modern robotics and cyber-physical systems, offering flexibility, modularity, and high-performance communication via the DDS protocol and eProsima’s Fast-CDR serialization library. However, this re- liance on implicit type contracts between publishers and subscribers introduces critical attack surfaces. In this paper, we present the first systematic study of type confusion vul- nerabilities in ROS 2 deserialization, exposing a previously unexplored attack surface in robotic middleware. Through our fuzzing approach, we show that injecting malformed or mismatched message types into topics expecting a different format can trigger Fast-CDR deserialization failures. These failures propagate as uncaught exceptions resulting in process crashes and node-level outages. Our findings reveal a previously undocumented flaw in ROS 2’s trust model for topic integrity, where the absence of runtime type enforcement or input validation leads to exploitable denial- of-service conditions. Through targeted fuzzing and case studies using standard ROS 2 messages, we evaluate the exploitability of this vulnerability in both simulation and physical robotics environments. This work underscores the need for secure-by- design messaging to ensure the reliability and safety of robotic middleware and cyber-physical systems.