{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3adronecodepx4_drone_autopilot1.17.0beta1/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc2:*:*:*:*:*:*"],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-32743"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Px4_Drone_Autopilot","PX4 Autopilot \u003c=1.17.0-rc2"],"_cs_severities":["medium"],"_cs_tags":["px4","autopilot","drone","denial-of-service","buffer-overflow"],"_cs_type":"advisory","_cs_vendors":["Dronecode"],"content_html":"\u003cp\u003eCVE-2026-32743 is a stack-based buffer overflow vulnerability affecting Dronecode PX4 Autopilot versions up to and including 1.17.0-rc2. The vulnerability resides in the \u003ccode\u003eMavlinkLogHandler\u003c/code\u003e, where the \u003ccode\u003eLogEntry.filepath\u003c/code\u003e buffer, limited to 60 bytes, is vulnerable to overflowing due to the use of \u003ccode\u003esscanf()\u003c/code\u003e without a width specifier when parsing log directory paths. An attacker with network access to the flight controller\u0026rsquo;s MAVLink UDP port (default 14550) can exploit this by creating a deeply nested directory exceeding 60 bytes via MAVLink FTP and then triggering the overflow by requesting the log list. This leads to a crash of the MAVLink task, resulting in loss of telemetry and command capability, and a persistent Denial of Service (DoS) until the system is rebooted. This was fixed in commit 616b25a which adds a width specifier to \u003ccode\u003esscanf\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker establishes a MAVLink connection with the PX4 Autopilot system, typically over UDP port 14550.\u003c/li\u003e\n\u003cli\u003eMAVLink FTP is utilized to create a new directory inside the \u003ccode\u003e/fs/microsd/log/\u003c/code\u003e directory with a path exceeding 60 bytes. For example, \u0026ldquo;/fs/microsd/log/\u0026rdquo; + \u0026ldquo;A\u0026rdquo;*70.\u003c/li\u003e\n\u003cli\u003eThe PX4 Autopilot system successfully creates the directory on the SD card.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003eMAV_CMD_REQUEST_LOG_LIST\u003c/code\u003e command (command 261) to the PX4 Autopilot system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMavlinkLogHandler::list()\u003c/code\u003e function is invoked, attempting to read the log directory.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003esscanf(path, \u0026quot;%s\u0026quot;, LogEntry.filepath)\u003c/code\u003e function is used without a width limit, copying the oversized path into the undersized \u003ccode\u003eLogEntry.filepath\u003c/code\u003e buffer.\u003c/li\u003e\n\u003cli\u003eA stack-based buffer overflow occurs, writing 70 bytes into a 60-byte buffer.\u003c/li\u003e\n\u003cli\u003eThe MAVLink task crashes due to the buffer overflow, leading to a loss of telemetry and command capabilities and resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition, where the PX4 Autopilot system becomes unmanageable and unresponsive. The MAVLink task crashes which means the flight controller loses telemetry and command capability until a reboot. This can be critical if the drone is in flight, as it will lose its ability to receive commands and potentially lead to a crash.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PX4 Autopilot to a version later than 1.17.0-rc2, which includes the fix in commit 616b25a that adds a width specifier to \u003ccode\u003esscanf\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual MAVLink FTP activity, specifically the creation of deeply nested directories with path lengths exceeding 60 bytes within the \u003ccode\u003e/fs/microsd/log/\u003c/code\u003e directory, as this is indicative of CVE-2026-32743 exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PX4 Autopilot MAVLink FTP Long Directory Creation\u003c/code\u003e to detect the creation of overly long directory paths via MAVLink FTP, which is a prerequisite for exploiting CVE-2026-32743.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T17:08:50Z","date_published":"2026-05-08T17:08:50Z","id":"/briefs/2026-05-px4-autopilot-dos/","summary":"A stack-based buffer overflow vulnerability exists in Dronecode PX4 Autopilot versions up to and including 1.17.0-rc2 that allows an attacker with MAVLink link access to cause a denial of service by creating a deeply nested directory via MAVLink FTP and then requesting the log list, crashing the MAVLink task.","title":"Dronecode PX4 Autopilot MavlinkLogHandler Stack Buffer Overflow DoS (CVE-2026-32743)","url":"https://feed.craftedsignal.io/briefs/2026-05-px4-autopilot-dos/"},{"_cs_actors":["Mohammed Idrees Banyamer"],"_cs_cpes":["cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.2,"id":"CVE-2026-32707"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PX4-Autopilot (\u003c= 1.17.0-rc1)"],"_cs_severities":["medium"],"_cs_tags":["stack buffer overflow","denial of service","CVE-2026-32707"],"_cs_type":"threat","_cs_vendors":["Dronecode"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, CVE-2026-32707, was discovered in the \u003ccode\u003etattu_can\u003c/code\u003e driver of the Dronecode PX4-Autopilot flight controller firmware. This vulnerability affects versions up to and including 1.17.0-rc1. The flaw stems from an unbounded memcpy() operation within the multi-frame message assembly routine of the \u003ccode\u003eTattu12SBatteryMessage\u003c/code\u003e structure. Successful exploitation allows an attacker capable of injecting CAN frames into the bus to trigger a stack corruption, causing the PX4 process to crash, leading to a denial-of-service condition. The vulnerability has been patched in PX4-Autopilot version 1.17.0-rc2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker injects a CAN frame into the CAN bus with DLC=8 and the last byte of the data set to 0x80. This signals the start of a new \u003ccode\u003eTattu12SBatteryMessage\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etattu_can\u003c/code\u003e driver receives the start-of-transfer frame.\u003c/li\u003e\n\u003cli\u003eThe driver allocates a 48-byte buffer on the stack (\u003ccode\u003etattu_message\u003c/code\u003e). The first 5 bytes from the start frame are copied into the stack buffer.\u003c/li\u003e\n\u003cli\u003eThe attacker sends seven subsequent CAN frames, each with DLC=8, containing the overflow payload (7 bytes of data per frame are copied).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etattu_can\u003c/code\u003e driver processes each overflow frame, copying 7 bytes from each frame into the \u003ccode\u003etattu_message\u003c/code\u003e buffer using \u003ccode\u003ememcpy()\u003c/code\u003e, incrementing the offset by 7 bytes after each copy.\u003c/li\u003e\n\u003cli\u003eAfter processing the seventh overflow frame, the cumulative offset exceeds the 48-byte buffer size.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a final overflow CAN frame, which triggers the last \u003ccode\u003ememcpy()\u003c/code\u003e operation, writing past the boundaries of the buffer on the stack.\u003c/li\u003e\n\u003cli\u003eThe stack corruption leads to a segmentation fault or hard fault, causing the PX4 process to crash and resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition on the PX4-Autopilot system. On a real flight controller, this can result in a loss of control of the drone, potentially causing it to crash. The vulnerability affects systems running PX4-Autopilot versions up to and including 1.17.0-rc1 with the \u003ccode\u003etattu_can\u003c/code\u003e driver enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate PX4-Autopilot to version 1.17.0-rc2 or later, as specified in the \u0026ldquo;Vulnerable \u0026amp; Fixed Versions\u0026rdquo; section of this brief.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003etattu_can\u003c/code\u003e driver if it is not required by running \u003ccode\u003etattu_can stop\u003c/code\u003e or removing it from the build, as mentioned in the \u0026ldquo;Mitigation\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eApply the patch manually, incorporating the bounds check added in commit \u003ccode\u003e3f04b7a\u003c/code\u003e, as detailed in the \u0026ldquo;Mitigation\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eMonitor CAN bus traffic for suspicious frames with DLC=8 and a last byte of 0x80, followed by multiple overflow frames as described in the attack chain; implement rules to detect anomalous CAN traffic patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T11:12:14Z","date_published":"2026-05-08T11:12:14Z","id":"/briefs/2024-01-02-dronecode-px4-dos/","summary":"A stack-based buffer overflow vulnerability exists in the `tattu_can` driver of Dronecode PX4-Autopilot versions 1.17.0-rc1 and earlier; by injecting specially crafted CAN frames, an attacker can trigger an unbounded memcpy operation, leading to a stack corruption and subsequent crash of the PX4 process, resulting in a denial of service.","title":"Dronecode PX4-Autopilot tattu_can Stack Buffer Overflow (CVE-2026-32707)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-dronecode-px4-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}