CVE-2026-32708
Undergoing Analysis Undergoing Analysis - In Progress
Stack Overflow in PX4 Zenoh uORB Subscriber Causes Crash

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, the Zenoh uORB subscriber allocates a stack VLA directly from the incoming payload length without bounds. A remote Zenoh publisher can send an oversized fragmented message to force an unbounded stack allocation and copy, causing a stack overflow and crash of the Zenoh bridge task. This vulnerability is fixed in 1.17.0-rc2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32708
EUVD
EUVD-2026-12172
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
dronecode px4_drone_autopilot to 1.17.0 (exc)
dronecode px4_drone_autopilot 1.17.0
dronecode px4_drone_autopilot 1.17.0
dronecode px4_drone_autopilot 1.17.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32708 is a high-severity stack-based buffer overflow vulnerability in the Zenoh uORB subscriber component of the PX4 autopilot system for drones. The issue occurs because the code allocates a variable-length array (VLA) on the stack based directly on the length of an incoming payload without enforcing any maximum size limit.'}, {'type': 'paragraph', 'content': "When a remote Zenoh publisher sends an oversized fragmented message, the code allocates a stack buffer larger than the thread's stack size, causing a stack overflow. This overflow corrupts adjacent stack frames and crashes the Zenoh bridge task."}, {'type': 'paragraph', 'content': 'The vulnerability is exploitable remotely by any Zenoh publisher on the network, requires low privileges, and no user interaction. It can lead to confidentiality, integrity, and availability loss, and potentially remote code execution if stack protections are weak.'}] [1]

Impact Analysis

This vulnerability can cause a stack overflow that crashes the Zenoh bridge task, leading to denial of service and loss of availability of the PX4 autopilot system.

Because the vulnerability affects confidentiality and integrity as well, an attacker might exploit it to execute arbitrary code remotely, potentially gaining control over the affected system or accessing sensitive data.

The exploit requires only low privileges and no user interaction, making it easier for attackers to leverage this vulnerability remotely.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves a stack-based buffer overflow in the Zenoh uORB subscriber component of PX4 autopilot, triggered by receiving an oversized fragmented message from a remote Zenoh publisher.

Detection can focus on monitoring for crashes or abnormal behavior of the Zenoh bridge task, especially stack overflow crashes.

Since the vulnerability is triggered by receiving oversized fragmented messages, network monitoring for unusually large or fragmented Zenoh protocol messages could help detect attempts.

No specific commands are provided in the resources, but general approaches include:

  • Using system logs or crash reports to identify Zenoh bridge task crashes.
  • Using network packet capture tools (e.g., tcpdump or Wireshark) to filter and analyze Zenoh protocol traffic for oversized fragmented messages.
  • Employing AddressSanitizer (ASAN) or similar runtime memory error detectors during testing to catch stack overflow events at the vulnerable allocation point.
Mitigation Strategies

The primary mitigation is to upgrade the PX4 autopilot software to version 1.17.0-rc2 or later, where the vulnerability is fixed.

Until the upgrade can be applied, consider restricting network access to the Zenoh publisher interface to trusted sources only, to prevent remote attackers from sending malicious oversized fragmented messages.

Monitoring and alerting on Zenoh bridge task crashes can help detect exploitation attempts and prompt immediate response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32708. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart