CVE-2026-32708
Stack Overflow in PX4 Zenoh uORB Subscriber Causes Crash
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dronecode | px4_drone_autopilot | to 1.17.0 (exc) |
| dronecode | px4_drone_autopilot | 1.17.0 |
| dronecode | px4_drone_autopilot | 1.17.0 |
| dronecode | px4_drone_autopilot | 1.17.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32708 is a high-severity stack-based buffer overflow vulnerability in the Zenoh uORB subscriber component of the PX4 autopilot system for drones. The issue occurs because the code allocates a variable-length array (VLA) on the stack based directly on the length of an incoming payload without enforcing any maximum size limit.'}, {'type': 'paragraph', 'content': "When a remote Zenoh publisher sends an oversized fragmented message, the code allocates a stack buffer larger than the thread's stack size, causing a stack overflow. This overflow corrupts adjacent stack frames and crashes the Zenoh bridge task."}, {'type': 'paragraph', 'content': 'The vulnerability is exploitable remotely by any Zenoh publisher on the network, requires low privileges, and no user interaction. It can lead to confidentiality, integrity, and availability loss, and potentially remote code execution if stack protections are weak.'}] [1]
How can this vulnerability impact me? :
This vulnerability can cause a stack overflow that crashes the Zenoh bridge task, leading to denial of service and loss of availability of the PX4 autopilot system.
Because the vulnerability affects confidentiality and integrity as well, an attacker might exploit it to execute arbitrary code remotely, potentially gaining control over the affected system or accessing sensitive data.
The exploit requires only low privileges and no user interaction, making it easier for attackers to leverage this vulnerability remotely.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a stack-based buffer overflow in the Zenoh uORB subscriber component of PX4 autopilot, triggered by receiving an oversized fragmented message from a remote Zenoh publisher.
Detection can focus on monitoring for crashes or abnormal behavior of the Zenoh bridge task, especially stack overflow crashes.
Since the vulnerability is triggered by receiving oversized fragmented messages, network monitoring for unusually large or fragmented Zenoh protocol messages could help detect attempts.
No specific commands are provided in the resources, but general approaches include:
- Using system logs or crash reports to identify Zenoh bridge task crashes.
- Using network packet capture tools (e.g., tcpdump or Wireshark) to filter and analyze Zenoh protocol traffic for oversized fragmented messages.
- Employing AddressSanitizer (ASAN) or similar runtime memory error detectors during testing to catch stack overflow events at the vulnerable allocation point.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the PX4 autopilot software to version 1.17.0-rc2 or later, where the vulnerability is fixed.
Until the upgrade can be applied, consider restricting network access to the Zenoh publisher interface to trusted sources only, to prevent remote attackers from sending malicious oversized fragmented messages.
Monitoring and alerting on Zenoh bridge task crashes can help detect exploitation attempts and prompt immediate response.