CVE-2026-32743
Stack-Based Buffer Overflow in PX4 MavlinkLogHandler Causes DoS
Publication date: 2026-03-19
Last updated on: 2026-03-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dronecode | px4_drone_autopilot | to 1.17.0 (exc) |
| dronecode | px4_drone_autopilot | 1.17.0 |
| dronecode | px4_drone_autopilot | 1.17.0 |
| dronecode | px4_drone_autopilot | 1.17.0 |
| dronecode | px4_drone_autopilot | 1.17.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32743 is a stack-based buffer overflow vulnerability in the PX4 autopilot software, specifically in the MavlinkLogHandler component. The issue occurs because the LogEntry.filepath buffer is only 60 bytes, but the sscanf function used to parse file paths from the log list does not limit the input length. This allows an attacker to overflow the buffer by providing a file path longer than 60 characters.'}, {'type': 'paragraph', 'content': "An attacker with access to the MAVLink communication link can exploit this by creating deeply nested directories via MAVLink FTP, resulting in long file paths. When a log list request is made, the overly long paths cause a stack buffer overflow, crashing the flight controller's MAVLink task."}, {'type': 'paragraph', 'content': 'This vulnerability has been fixed by increasing the buffer size to PX4_MAX_FILEPATH (256 bytes), adding width specifiers to sscanf calls to limit input length, and adding compile-time checks to prevent future overflows.'}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can cause a denial of service (DoS) condition on affected PX4 autopilot systems. When exploited, the MAVLink task on the flight controller crashes, resulting in loss of telemetry and command capabilities.
The loss of telemetry and command control can lead to unexpected drone behavior, potentially causing mission failure or unsafe situations during drone operation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or denial of service conditions in the PX4 autopilot's MAVLink task, especially after receiving MAVLink log list requests.
Since the vulnerability is triggered by MAVLink log requests with deeply nested directories or file paths longer than 60 characters, detection can involve checking for unusually long file paths in MAVLink FTP or suspicious MAV_CMD_LOG_REQUEST_LIST commands.
Specific commands to detect this vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the PX4 autopilot software to a version that includes the fix for CVE-2026-32743.
The fix involves increasing the size of the LogEntry.filepath buffer and adding width specifiers to sscanf calls to prevent buffer overflow.
Until the update can be applied, restrict or monitor MAVLink FTP access to prevent attackers from creating deeply nested directories or sending malicious MAV_CMD_LOG_REQUEST_LIST commands.