Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, tattu_can contains an unbounded memcpy in its multi-frame assembly loop, allowing stack memory overwrite when crafted CAN frames are processed. In deployments where tattu_can is enabled and running, a CAN-injection-capable attacker can trigger a crash (DoS) and memory corruption. This vulnerability is fixed in 1.17.0-rc2.
AnalysisAI
PX4 autopilot versions prior to 1.17.0-rc2 contain an unbounded memcpy vulnerability in the tattu_can module that allows stack memory corruption when processing specially crafted CAN frames. An attacker with CAN bus injection capability can trigger denial of service or memory corruption in drone systems where tattu_can is enabled, potentially compromising flight safety and system stability.
Technical ContextAI
The vulnerability resides in the tattu_can component of PX4 autopilot, which handles multi-frame CAN (Controller Area Network) message assembly. CAN is a serial communication bus standard commonly used in automotive and aerospace applications for inter-device communication. The flaw is classified as CWE-121 (Stack-based Buffer Overflow) and involves an unbounded memcpy operation within the multi-frame assembly loop. When processing incoming CAN frames, the code fails to validate frame boundaries before copying data to the stack, permitting an attacker to write beyond allocated buffer boundaries. This is particularly critical in embedded flight control systems where the autopilot operates in real-time and memory corruption can directly affect vehicle control algorithms and safety-critical operations.
RemediationAI
Upgrade PX4 autopilot to version 1.17.0-rc2 or later, which includes the fix for the unbounded memcpy vulnerability. Users should disable the tattu_can module in production deployments if updating is not immediately possible and the module is not essential for operations. Additionally, implement network segmentation to restrict physical CAN bus access to authorized devices only, and implement CAN frame validation and filtering at the network level to reject malformed multi-frame messages. Monitor systems for unexpected crashes or memory corruption errors that may indicate exploitation attempts. Refer to the PX4 project security advisories and release notes for patch deployment guidance.
More in Px4 Autopilot
View allStack overflow vulnerability in PX4 autopilot drone flight control software (versions prior to 1.17.0-rc2) where the Zen
Buffer overflow vulnerability in PX4 autopilot drone firmware versions before 1.17.0-rc2 that allows adjacent network at
PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that
An unauthenticated path traversal vulnerability in PX4 Autopilot's MAVLink FTP implementation (CWE-22) allows any MAVLin
PX4 Autopilot versions prior to 1.17.0-rc1 contain a heap-use-after-free vulnerability in the MavlinkShell::available()
PX4 Autopilot prior to version 1.17.0-rc2 contains a boolean logic error in MAVLink FTP session validation that uses AND
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12152