Dronecode PX4 Autopilot MavlinkLogHandler Stack Buffer Overflow DoS (CVE-2026-32743)

hello@craftedsignal.io — Fri, 08 May 2026 17:08:50 +0000

CVE-2026-32743 is a stack-based buffer overflow vulnerability affecting Dronecode PX4 Autopilot versions up to and including 1.17.0-rc2. The vulnerability resides in the MavlinkLogHandler, where the LogEntry.filepath buffer, limited to 60 bytes, is vulnerable to overflowing due to the use of sscanf() without a width specifier when parsing log directory paths. An attacker with network access to the flight controller’s MAVLink UDP port (default 14550) can exploit this by creating a deeply nested directory exceeding 60 bytes via MAVLink FTP and then triggering the overflow by requesting the log list. This leads to a crash of the MAVLink task, resulting in loss of telemetry and command capability, and a persistent Denial of Service (DoS) until the system is rebooted. This was fixed in commit 616b25a which adds a width specifier to sscanf.

Attack Chain

The attacker establishes a MAVLink connection with the PX4 Autopilot system, typically over UDP port 14550.
MAVLink FTP is utilized to create a new directory inside the /fs/microsd/log/ directory with a path exceeding 60 bytes. For example, “/fs/microsd/log/” + “A”*70.
The PX4 Autopilot system successfully creates the directory on the SD card.
The attacker sends a MAV_CMD_REQUEST_LOG_LIST command (command 261) to the PX4 Autopilot system.
The MavlinkLogHandler::list() function is invoked, attempting to read the log directory.
The vulnerable sscanf(path, "%s", LogEntry.filepath) function is used without a width limit, copying the oversized path into the undersized LogEntry.filepath buffer.
A stack-based buffer overflow occurs, writing 70 bytes into a 60-byte buffer.
The MAVLink task crashes due to the buffer overflow, leading to a loss of telemetry and command capabilities and resulting in a denial-of-service condition.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition, where the PX4 Autopilot system becomes unmanageable and unresponsive. The MAVLink task crashes which means the flight controller loses telemetry and command capability until a reboot. This can be critical if the drone is in flight, as it will lose its ability to receive commands and potentially lead to a crash.

Recommendation

Upgrade PX4 Autopilot to a version later than 1.17.0-rc2, which includes the fix in commit 616b25a that adds a width specifier to sscanf.
Monitor network traffic for unusual MAVLink FTP activity, specifically the creation of deeply nested directories with path lengths exceeding 60 bytes within the /fs/microsd/log/ directory, as this is indicative of CVE-2026-32743 exploitation.
Deploy the Sigma rule Detect PX4 Autopilot MAVLink FTP Long Directory Creation to detect the creation of overly long directory paths via MAVLink FTP, which is a prerequisite for exploiting CVE-2026-32743.

Dronecode PX4-Autopilot tattu_can Stack Buffer Overflow (CVE-2026-32707)

hello@craftedsignal.io — Fri, 08 May 2026 11:12:14 +0000

A stack-based buffer overflow vulnerability, CVE-2026-32707, was discovered in the tattu_can driver of the Dronecode PX4-Autopilot flight controller firmware. This vulnerability affects versions up to and including 1.17.0-rc1. The flaw stems from an unbounded memcpy() operation within the multi-frame message assembly routine of the Tattu12SBatteryMessage structure. Successful exploitation allows an attacker capable of injecting CAN frames into the bus to trigger a stack corruption, causing the PX4 process to crash, leading to a denial-of-service condition. The vulnerability has been patched in PX4-Autopilot version 1.17.0-rc2.

Attack Chain

Attacker injects a CAN frame into the CAN bus with DLC=8 and the last byte of the data set to 0x80. This signals the start of a new Tattu12SBatteryMessage.
The tattu_can driver receives the start-of-transfer frame.
The driver allocates a 48-byte buffer on the stack (tattu_message). The first 5 bytes from the start frame are copied into the stack buffer.
The attacker sends seven subsequent CAN frames, each with DLC=8, containing the overflow payload (7 bytes of data per frame are copied).
The tattu_can driver processes each overflow frame, copying 7 bytes from each frame into the tattu_message buffer using memcpy(), incrementing the offset by 7 bytes after each copy.
After processing the seventh overflow frame, the cumulative offset exceeds the 48-byte buffer size.
The attacker sends a final overflow CAN frame, which triggers the last memcpy() operation, writing past the boundaries of the buffer on the stack.
The stack corruption leads to a segmentation fault or hard fault, causing the PX4 process to crash and resulting in a denial of service.

Impact

Successful exploitation of this vulnerability leads to a denial-of-service condition on the PX4-Autopilot system. On a real flight controller, this can result in a loss of control of the drone, potentially causing it to crash. The vulnerability affects systems running PX4-Autopilot versions up to and including 1.17.0-rc1 with the tattu_can driver enabled.

Recommendation

Update PX4-Autopilot to version 1.17.0-rc2 or later, as specified in the “Vulnerable & Fixed Versions” section of this brief.
Disable the tattu_can driver if it is not required by running tattu_can stop or removing it from the build, as mentioned in the “Mitigation” section.
Apply the patch manually, incorporating the bounds check added in commit 3f04b7a, as detailed in the “Mitigation” section.
Monitor CAN bus traffic for suspicious frames with DLC=8 and a last byte of 0x80, followed by multiple overflow frames as described in the attack chain; implement rules to detect anomalous CAN traffic patterns.

Dronecode — CraftedSignal Threat Feed

Dronecode PX4 Autopilot MavlinkLogHandler Stack Buffer Overflow DoS (CVE-2026-32743)

Attack Chain

Impact

Recommendation

Dronecode PX4-Autopilot tattu_can Stack Buffer Overflow (CVE-2026-32707)

Attack Chain

Impact

Recommendation