CVE-2026-32707 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/cve-2026-32707/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 08 May 2026 11:12:14 +0000Dronecode PX4-Autopilot tattu_can Stack Buffer Overflow (CVE-2026-32707)https://feed.craftedsignal.io/briefs/2024-01-02-dronecode-px4-dos/Fri, 08 May 2026 11:12:14 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-02-dronecode-px4-dos/A stack-based buffer overflow vulnerability exists in the `tattu_can` driver of Dronecode PX4-Autopilot versions 1.17.0-rc1 and earlier; by injecting specially crafted CAN frames, an attacker can trigger an unbounded memcpy operation, leading to a stack corruption and subsequent crash of the PX4 process, resulting in a denial of service.A stack-based buffer overflow vulnerability, CVE-2026-32707, was discovered in the tattu_can driver of the Dronecode PX4-Autopilot flight controller firmware. This vulnerability affects versions up to and including 1.17.0-rc1. The flaw stems from an unbounded memcpy() operation within the multi-frame message assembly routine of the Tattu12SBatteryMessage structure. Successful exploitation allows an attacker capable of injecting CAN frames into the bus to trigger a stack corruption, causing the PX4 process to crash, leading to a denial-of-service condition. The vulnerability has been patched in PX4-Autopilot version 1.17.0-rc2.

Attack Chain

  1. Attacker injects a CAN frame into the CAN bus with DLC=8 and the last byte of the data set to 0x80. This signals the start of a new Tattu12SBatteryMessage.
  2. The tattu_can driver receives the start-of-transfer frame.
  3. The driver allocates a 48-byte buffer on the stack (tattu_message). The first 5 bytes from the start frame are copied into the stack buffer.
  4. The attacker sends seven subsequent CAN frames, each with DLC=8, containing the overflow payload (7 bytes of data per frame are copied).
  5. The tattu_can driver processes each overflow frame, copying 7 bytes from each frame into the tattu_message buffer using memcpy(), incrementing the offset by 7 bytes after each copy.
  6. After processing the seventh overflow frame, the cumulative offset exceeds the 48-byte buffer size.
  7. The attacker sends a final overflow CAN frame, which triggers the last memcpy() operation, writing past the boundaries of the buffer on the stack.
  8. The stack corruption leads to a segmentation fault or hard fault, causing the PX4 process to crash and resulting in a denial of service.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition on the PX4-Autopilot system. On a real flight controller, this can result in a loss of control of the drone, potentially causing it to crash. The vulnerability affects systems running PX4-Autopilot versions up to and including 1.17.0-rc1 with the tattu_can driver enabled.

Recommendation

  • Update PX4-Autopilot to version 1.17.0-rc2 or later, as specified in the “Vulnerable & Fixed Versions” section of this brief.
  • Disable the tattu_can driver if it is not required by running tattu_can stop or removing it from the build, as mentioned in the “Mitigation” section.
  • Apply the patch manually, incorporating the bounds check added in commit 3f04b7a, as detailed in the “Mitigation” section.
  • Monitor CAN bus traffic for suspicious frames with DLC=8 and a last byte of 0x80, followed by multiple overflow frames as described in the attack chain; implement rules to detect anomalous CAN traffic patterns.
]]>mediumthreatstack buffer overflowdenial of serviceCVE-2026-32707