Px4 Autopilot
CVE-2026-32708
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, the Zenoh uORB subscriber allocates a stack VLA directly from the incoming payload length without bounds. A remote Zenoh publisher can send an oversized fragmented message to force an unbounded stack allocation and copy, causing a stack overflow and crash of the Zenoh bridge task. This vulnerability is fixed in 1.17.0-rc2.
AnalysisAI
Stack overflow vulnerability in PX4 autopilot drone flight control software (versions prior to 1.17.0-rc2) where the Zenoh uORB subscriber fails to validate incoming payload sizes, allowing remote attackers to crash the Zenoh bridge task. No active exploitation (not in KEV), no known POC, and the local attack vector (CVSS AV:L) limits real-world impact despite the high 7.8 CVSS score.
Technical ContextAI
The vulnerability affects PX4-Autopilot (CPE: cpe:2.3:a:px4:px4-autopilot:*:*:*:*:*:*:*:*), an open-source flight control solution for drones. The issue occurs in the Zenoh uORB subscriber component, which allocates a Variable Length Array (VLA) on the stack based directly on incoming payload length without bounds checking. This is a classic CWE-121 (Stack-based Buffer Overflow) where untrusted input controls memory allocation size. Zenoh is a real-time data distribution protocol, and uORB is PX4's publish-subscribe messaging system for inter-module communication.
RemediationAI
Primary mitigation: Upgrade to PX4-Autopilot version 1.17.0-rc2 or later which contains the fix. The vendor advisory (https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-69g4-hcqf-j45p) should be consulted for specific patch details. As a temporary workaround, consider disabling or restricting access to the Zenoh bridge functionality if not required for operations. Monitor Zenoh publisher sources and implement network segmentation to prevent unauthorized local access.
More in Px4 Autopilot
View allBuffer overflow vulnerability in PX4 autopilot drone firmware versions before 1.17.0-rc2 that allows adjacent network at
PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that
An unauthenticated path traversal vulnerability in PX4 Autopilot's MAVLink FTP implementation (CWE-22) allows any MAVLin
PX4 Autopilot versions prior to 1.17.0-rc1 contain a heap-use-after-free vulnerability in the MavlinkShell::available()
PX4 autopilot versions prior to 1.17.0-rc2 contain an unbounded memcpy vulnerability in the tattu_can module that allows
PX4 Autopilot prior to version 1.17.0-rc2 contains a boolean logic error in MAVLink FTP session validation that uses AND
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today