CVE-2026-32707
Unbounded memcpy Buffer Overflow in PX4 tattu_can Causes DoS
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dronecode | px4_drone_autopilot | to 1.17.0 (exc) |
| dronecode | px4_drone_autopilot | 1.17.0 |
| dronecode | px4_drone_autopilot | 1.17.0 |
| dronecode | px4_drone_autopilot | 1.17.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service (DoS) by crashing the PX4 autopilot system due to memory corruption caused by the stack buffer overflow.
An attacker with physical access to the CAN bus can exploit this flaw to disrupt drone flight control, potentially causing loss of control or failure of the drone.
The integrity of the system is impacted at a low level, meaning data or control flow could be altered, but confidentiality is not affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
CVE-2026-32707 is a stack-based buffer overflow vulnerability in the PX4 autopilot software, specifically in the tattu_can driver that processes CAN frames.
The flaw occurs due to an unbounded memcpy operation in the multi-frame assembly loop, where payload data from CAN frames is copied into a stack-allocated structure without proper bounds checking.
This allows crafted CAN frames to overwrite stack memory, causing memory corruption and potentially crashing the system.
The vulnerability can be exploited by an attacker with physical access capable of injecting CAN frames, without requiring any privileges or user interaction.
It affects PX4 versions prior to 1.17.0-rc2 where the tattu_can driver is enabled and running.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in the tattu_can driver when processing crafted CAN frames that cause a stack buffer overflow. Detection involves monitoring for crashes or memory corruption symptoms in systems running PX4 autopilot with the tattu_can driver enabled.
Since exploitation requires physical CAN frame injection, detection can include capturing and analyzing CAN traffic for abnormal or malformed frames targeting the tattu_can driver.
No specific detection commands are provided in the resources, but general approaches include:
- Using CAN bus monitoring tools (e.g., can-utils) to capture CAN frames and inspect payload sizes and sequences for anomalies.
- Monitoring PX4 autopilot logs for crashes or memory corruption events related to tattu_can.
- Running the provided proof-of-concept (PoC) scripts from the security-lab directory in a controlled environment to reproduce and detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade PX4 autopilot to version 1.17.0-rc2 or later, where the vulnerability in the tattu_can driver has been fixed.
If upgrading immediately is not possible, consider disabling the tattu_can driver (CONFIG_DRIVERS_TATTU_CAN) to prevent processing of CAN frames by this vulnerable component.
Additionally, restrict physical access to the CAN bus to prevent attackers from injecting crafted CAN frames.