CVE-2026-32713
Logic Error in PX4 MAVLink FTP Allows Unauthorized Access
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dronecode | px4_drone_autopilot | to 1.17.0 (exc) |
| dronecode | px4_drone_autopilot | 1.17.0 |
| dronecode | px4_drone_autopilot | 1.17.0 |
| dronecode | px4_drone_autopilot | 1.17.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-670 | The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32713 is a logic error vulnerability in the PX4 Autopilot MAVLink FTP session validation. The issue arises because the code uses an incorrect boolean operator (logical AND '&&' instead of logical OR '||') when validating session IDs and file descriptors in FTP commands BurstReadFile and WriteFile."}, {'type': 'paragraph', 'content': 'This incorrect logic allows operations to proceed even if the session is invalid or the file descriptor is closed, which should normally be rejected. As a result, an unauthenticated attacker can put the FTP subsystem into an inconsistent state, bypass session isolation checks, and trigger operations on invalid file descriptors.'}, {'type': 'paragraph', 'content': 'Specifically, the vulnerable code only rejects requests if both the session ID is incorrect and the file descriptor is invalid, instead of rejecting if either condition is true. This flaw enables two main exploitation scenarios: 1) triggering operations on closed file descriptors causing errors and inconsistent FTP states, and 2) bypassing session isolation to access files opened in other sessions.'}] [1]
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unauthenticated attacker to disrupt the PX4 Autopilot FTP subsystem. The attacker can cause the subsystem to enter an inconsistent state by triggering operations on invalid or closed file descriptors.
Additionally, the attacker can bypass session isolation checks, potentially accessing files opened in other sessions, although PX4 currently supports only one session, limiting this impact.
The primary risk is a denial of service to the FTP subsystem and triggering unexpected error conditions, which may block legitimate FTP operations or cause subsystem instability.
However, the vulnerability does not impact confidentiality or integrity, and data exfiltration is limited due to syscall-level failures on invalid file descriptors.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves incorrect session validation logic in the PX4 Autopilot MAVLink FTP subsystem, which can cause operations on invalid or closed file descriptors and bypass session isolation.
Detection can focus on monitoring for unusual FTP subsystem behavior such as errors related to invalid file descriptors (e.g., EBADF errors) or inconsistent FTP states triggered by BurstReadFile or WriteFile commands.
Since the vulnerability is in the PX4 MAVLink FTP implementation, you can monitor MAVLink FTP traffic for suspicious BurstReadFile or WriteFile commands with invalid session IDs or file descriptors.
Specific commands to detect this vulnerability are not provided in the resources, but you can use network packet capture tools (e.g., tcpdump or Wireshark) to filter MAVLink FTP traffic and look for anomalous BurstReadFile or WriteFile requests with session=0 or invalid file descriptors.
Additionally, reviewing PX4 autopilot logs for error messages related to lseek/read/write failures on file descriptor -1 or other invalid descriptors may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the PX4 Autopilot software to version 1.17.0-rc2 or later, where this vulnerability is fixed.
Until the upgrade can be applied, consider restricting access to the MAVLink FTP subsystem from untrusted or adjacent networks to reduce the risk of exploitation.
Monitoring and alerting on FTP subsystem errors or unusual MAVLink FTP commands can help detect exploitation attempts early.
Since the vulnerability allows denial of service and inconsistent FTP states, restarting the PX4 autopilot or its FTP subsystem after detecting suspicious activity may temporarily restore normal operation.