{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/px4-autopilot--1.17.0-rc1/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Mohammed Idrees Banyamer"],"_cs_cpes":["cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*"],"_cs_cves":[{"cvss":5.2,"id":"CVE-2026-32707"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PX4-Autopilot (\u003c= 1.17.0-rc1)"],"_cs_severities":["medium"],"_cs_tags":["stack buffer overflow","denial of service","CVE-2026-32707"],"_cs_type":"threat","_cs_vendors":["Dronecode"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability, CVE-2026-32707, was discovered in the \u003ccode\u003etattu_can\u003c/code\u003e driver of the Dronecode PX4-Autopilot flight controller firmware. This vulnerability affects versions up to and including 1.17.0-rc1. The flaw stems from an unbounded memcpy() operation within the multi-frame message assembly routine of the \u003ccode\u003eTattu12SBatteryMessage\u003c/code\u003e structure. Successful exploitation allows an attacker capable of injecting CAN frames into the bus to trigger a stack corruption, causing the PX4 process to crash, leading to a denial-of-service condition. The vulnerability has been patched in PX4-Autopilot version 1.17.0-rc2.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker injects a CAN frame into the CAN bus with DLC=8 and the last byte of the data set to 0x80. This signals the start of a new \u003ccode\u003eTattu12SBatteryMessage\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etattu_can\u003c/code\u003e driver receives the start-of-transfer frame.\u003c/li\u003e\n\u003cli\u003eThe driver allocates a 48-byte buffer on the stack (\u003ccode\u003etattu_message\u003c/code\u003e). The first 5 bytes from the start frame are copied into the stack buffer.\u003c/li\u003e\n\u003cli\u003eThe attacker sends seven subsequent CAN frames, each with DLC=8, containing the overflow payload (7 bytes of data per frame are copied).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etattu_can\u003c/code\u003e driver processes each overflow frame, copying 7 bytes from each frame into the \u003ccode\u003etattu_message\u003c/code\u003e buffer using \u003ccode\u003ememcpy()\u003c/code\u003e, incrementing the offset by 7 bytes after each copy.\u003c/li\u003e\n\u003cli\u003eAfter processing the seventh overflow frame, the cumulative offset exceeds the 48-byte buffer size.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a final overflow CAN frame, which triggers the last \u003ccode\u003ememcpy()\u003c/code\u003e operation, writing past the boundaries of the buffer on the stack.\u003c/li\u003e\n\u003cli\u003eThe stack corruption leads to a segmentation fault or hard fault, causing the PX4 process to crash and resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition on the PX4-Autopilot system. On a real flight controller, this can result in a loss of control of the drone, potentially causing it to crash. The vulnerability affects systems running PX4-Autopilot versions up to and including 1.17.0-rc1 with the \u003ccode\u003etattu_can\u003c/code\u003e driver enabled.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpdate PX4-Autopilot to version 1.17.0-rc2 or later, as specified in the \u0026ldquo;Vulnerable \u0026amp; Fixed Versions\u0026rdquo; section of this brief.\u003c/li\u003e\n\u003cli\u003eDisable the \u003ccode\u003etattu_can\u003c/code\u003e driver if it is not required by running \u003ccode\u003etattu_can stop\u003c/code\u003e or removing it from the build, as mentioned in the \u0026ldquo;Mitigation\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eApply the patch manually, incorporating the bounds check added in commit \u003ccode\u003e3f04b7a\u003c/code\u003e, as detailed in the \u0026ldquo;Mitigation\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eMonitor CAN bus traffic for suspicious frames with DLC=8 and a last byte of 0x80, followed by multiple overflow frames as described in the attack chain; implement rules to detect anomalous CAN traffic patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-08T11:12:14Z","date_published":"2026-05-08T11:12:14Z","id":"/briefs/2024-01-02-dronecode-px4-dos/","summary":"A stack-based buffer overflow vulnerability exists in the `tattu_can` driver of Dronecode PX4-Autopilot versions 1.17.0-rc1 and earlier; by injecting specially crafted CAN frames, an attacker can trigger an unbounded memcpy operation, leading to a stack corruption and subsequent crash of the PX4 process, resulting in a denial of service.","title":"Dronecode PX4-Autopilot tattu_can Stack Buffer Overflow (CVE-2026-32707)","url":"https://feed.craftedsignal.io/briefs/2024-01-02-dronecode-px4-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — PX4-Autopilot (\u003c= 1.17.0-Rc1)","version":"https://jsonfeed.org/version/1.1"}