Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32705 is a stack-based buffer overflow vulnerability in the PX4-Autopilot project's BST telemetry driver. It occurs because the driver writes a string terminator at an index specified by a device-provided length (dev_name_len) without checking if this length exceeds the buffer size. The dev_name buffer is statically allocated with 32 bytes, but dev_name_len can be attacker-controlled and set to a value larger than or equal to 32, causing a write beyond the buffer boundary."}, {'type': 'paragraph', 'content': 'This overflow leads to stack corruption, which can crash the driver task or potentially allow an attacker to execute arbitrary code within the BST driver context. The vulnerability can be exploited by any malicious BST device or an attacker controlling the I2C bus, requires no privileges or user interaction, and has a low attack complexity.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing the PX4 autopilot system to crash, disrupting drone flight control operations. In a worst-case scenario, it could allow an attacker to execute arbitrary code within the BST driver context, potentially taking control of the affected system.

Because the attack requires physical access to the I2C bus or a malicious BST device, it poses a risk in environments where such access is possible. The impact includes high confidentiality, integrity, and availability risks as indicated by the CVSS score.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability arises from a stack-based buffer overflow in the BST telemetry driver when a malicious BST device reports an oversized dev_name_len value. Detection involves monitoring the I2C bus communications for abnormal or oversized dev_name_len values that exceed the expected buffer size of 32 bytes.'}, {'type': 'paragraph', 'content': 'Since the vulnerability is triggered by a device-provided length during I2C communication, one approach is to capture and analyze I2C traffic to identify dev_name_len values greater than or equal to 32.'}, {'type': 'list_item', 'content': 'Use an I2C bus sniffer or logic analyzer to capture traffic on the I2C bus connected to the PX4 autopilot device.'}, {'type': 'list_item', 'content': "Filter or search captured data for the BST telemetry probe's device info reply messages."}, {'type': 'list_item', 'content': 'Check the dev_name_len field in these messages for values ≥ 32, which indicate a potential exploit attempt.'}, {'type': 'paragraph', 'content': "No specific commands are provided in the resources, but using tools like 'i2cdetect', 'i2cdump' (on Linux systems with I2C support), or dedicated hardware I2C analyzers can help capture and inspect the relevant data."}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the PX4 autopilot software to version 1.17.0-rc2 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, restrict physical access to the I2C bus to prevent malicious BST devices or attackers from connecting and exploiting the vulnerability.

Monitor system logs and driver behavior for crashes or anomalies that could indicate exploitation attempts.

Useful 0 Not Useful 0