CVE-2026-32707
Undergoing Analysis Undergoing Analysis - In Progress
Unbounded memcpy Buffer Overflow in PX4 tattu_can Causes DoS

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, tattu_can contains an unbounded memcpy in its multi-frame assembly loop, allowing stack memory overwrite when crafted CAN frames are processed. In deployments where tattu_can is enabled and running, a CAN-injection-capable attacker can trigger a crash (DoS) and memory corruption. This vulnerability is fixed in 1.17.0-rc2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32707
EUVD
EUVD-2026-12152
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
dronecode px4_drone_autopilot to 1.17.0 (exc)
dronecode px4_drone_autopilot 1.17.0
dronecode px4_drone_autopilot 1.17.0
dronecode px4_drone_autopilot 1.17.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to a denial of service (DoS) by crashing the PX4 autopilot system due to memory corruption caused by the stack buffer overflow.

An attacker with physical access to the CAN bus can exploit this flaw to disrupt drone flight control, potentially causing loss of control or failure of the drone.

The integrity of the system is impacted at a low level, meaning data or control flow could be altered, but confidentiality is not affected.

Compliance Impact

I don't know

Executive Summary

CVE-2026-32707 is a stack-based buffer overflow vulnerability in the PX4 autopilot software, specifically in the tattu_can driver that processes CAN frames.

The flaw occurs due to an unbounded memcpy operation in the multi-frame assembly loop, where payload data from CAN frames is copied into a stack-allocated structure without proper bounds checking.

This allows crafted CAN frames to overwrite stack memory, causing memory corruption and potentially crashing the system.

The vulnerability can be exploited by an attacker with physical access capable of injecting CAN frames, without requiring any privileges or user interaction.

It affects PX4 versions prior to 1.17.0-rc2 where the tattu_can driver is enabled and running.

Detection Guidance

This vulnerability occurs in the tattu_can driver when processing crafted CAN frames that cause a stack buffer overflow. Detection involves monitoring for crashes or memory corruption symptoms in systems running PX4 autopilot with the tattu_can driver enabled.

Since exploitation requires physical CAN frame injection, detection can include capturing and analyzing CAN traffic for abnormal or malformed frames targeting the tattu_can driver.

No specific detection commands are provided in the resources, but general approaches include:

  • Using CAN bus monitoring tools (e.g., can-utils) to capture CAN frames and inspect payload sizes and sequences for anomalies.
  • Monitoring PX4 autopilot logs for crashes or memory corruption events related to tattu_can.
  • Running the provided proof-of-concept (PoC) scripts from the security-lab directory in a controlled environment to reproduce and detect the vulnerability.
Mitigation Strategies

The primary mitigation is to upgrade PX4 autopilot to version 1.17.0-rc2 or later, where the vulnerability in the tattu_can driver has been fixed.

If upgrading immediately is not possible, consider disabling the tattu_can driver (CONFIG_DRIVERS_TATTU_CAN) to prevent processing of CAN frames by this vulnerable component.

Additionally, restrict physical access to the CAN bus to prevent attackers from injecting crafted CAN frames.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32707. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart