{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3adronecodepx4_drone_autopilot1.17.0rc2/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc2:*:*:*:*:*:*"],"_cs_cves":[{"cvss":6.5,"id":"CVE-2026-32743"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Px4_Drone_Autopilot","PX4 Autopilot \u003c=1.17.0-rc2"],"_cs_severities":["medium"],"_cs_tags":["px4","autopilot","drone","denial-of-service","buffer-overflow"],"_cs_type":"advisory","_cs_vendors":["Dronecode"],"content_html":"\u003cp\u003eCVE-2026-32743 is a stack-based buffer overflow vulnerability affecting Dronecode PX4 Autopilot versions up to and including 1.17.0-rc2. The vulnerability resides in the \u003ccode\u003eMavlinkLogHandler\u003c/code\u003e, where the \u003ccode\u003eLogEntry.filepath\u003c/code\u003e buffer, limited to 60 bytes, is vulnerable to overflowing due to the use of \u003ccode\u003esscanf()\u003c/code\u003e without a width specifier when parsing log directory paths. An attacker with network access to the flight controller\u0026rsquo;s MAVLink UDP port (default 14550) can exploit this by creating a deeply nested directory exceeding 60 bytes via MAVLink FTP and then triggering the overflow by requesting the log list. This leads to a crash of the MAVLink task, resulting in loss of telemetry and command capability, and a persistent Denial of Service (DoS) until the system is rebooted. This was fixed in commit 616b25a which adds a width specifier to \u003ccode\u003esscanf\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker establishes a MAVLink connection with the PX4 Autopilot system, typically over UDP port 14550.\u003c/li\u003e\n\u003cli\u003eMAVLink FTP is utilized to create a new directory inside the \u003ccode\u003e/fs/microsd/log/\u003c/code\u003e directory with a path exceeding 60 bytes. For example, \u0026ldquo;/fs/microsd/log/\u0026rdquo; + \u0026ldquo;A\u0026rdquo;*70.\u003c/li\u003e\n\u003cli\u003eThe PX4 Autopilot system successfully creates the directory on the SD card.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003eMAV_CMD_REQUEST_LOG_LIST\u003c/code\u003e command (command 261) to the PX4 Autopilot system.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMavlinkLogHandler::list()\u003c/code\u003e function is invoked, attempting to read the log directory.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003esscanf(path, \u0026quot;%s\u0026quot;, LogEntry.filepath)\u003c/code\u003e function is used without a width limit, copying the oversized path into the undersized \u003ccode\u003eLogEntry.filepath\u003c/code\u003e buffer.\u003c/li\u003e\n\u003cli\u003eA stack-based buffer overflow occurs, writing 70 bytes into a 60-byte buffer.\u003c/li\u003e\n\u003cli\u003eThe MAVLink task crashes due to the buffer overflow, leading to a loss of telemetry and command capabilities and resulting in a denial-of-service condition.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition, where the PX4 Autopilot system becomes unmanageable and unresponsive. The MAVLink task crashes which means the flight controller loses telemetry and command capability until a reboot. This can be critical if the drone is in flight, as it will lose its ability to receive commands and potentially lead to a crash.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PX4 Autopilot to a version later than 1.17.0-rc2, which includes the fix in commit 616b25a that adds a width specifier to \u003ccode\u003esscanf\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for unusual MAVLink FTP activity, specifically the creation of deeply nested directories with path lengths exceeding 60 bytes within the \u003ccode\u003e/fs/microsd/log/\u003c/code\u003e directory, as this is indicative of CVE-2026-32743 exploitation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect PX4 Autopilot MAVLink FTP Long Directory Creation\u003c/code\u003e to detect the creation of overly long directory paths via MAVLink FTP, which is a prerequisite for exploiting CVE-2026-32743.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T17:08:50Z","date_published":"2026-05-08T17:08:50Z","id":"/briefs/2026-05-px4-autopilot-dos/","summary":"A stack-based buffer overflow vulnerability exists in Dronecode PX4 Autopilot versions up to and including 1.17.0-rc2 that allows an attacker with MAVLink link access to cause a denial of service by creating a deeply nested directory via MAVLink FTP and then requesting the log list, crashing the MAVLink task.","title":"Dronecode PX4 Autopilot MavlinkLogHandler Stack Buffer Overflow DoS (CVE-2026-32743)","url":"https://feed.craftedsignal.io/briefs/2026-05-px4-autopilot-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc2:*:*:*:*:*:*","version":"https://jsonfeed.org/version/1.1"}