Skip to main content

Px4 Autopilot CVE-2026-32713

MEDIUM
Always-Incorrect Control Flow Implementation (CWE-670)
2026-03-13 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Mar 13, 2026 - 22:01 vuln.today
CVE Published
Mar 13, 2026 - 21:20 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2.

AnalysisAI

PX4 Autopilot prior to version 1.17.0-rc2 contains a boolean logic error in MAVLink FTP session validation that uses AND (&&) instead of OR (||) operators, allowing attackers to bypass session isolation checks and execute file operations on invalid or closed file descriptors. An unauthenticated attacker on the adjacent network can exploit this vulnerability to destabilize the FTP subsystem, trigger denial-of-service conditions through invalid file descriptor operations, and potentially compromise the integrity of drone flight control systems. While the CVSS score of 4.3 indicates low to moderate severity with availability impact, the safety-critical nature of autopilot systems and the unauthenticated attack vector warrant immediate attention.

Technical ContextAI

PX4 Autopilot is an open-source flight control software stack for autonomous drones that implements MAVLink protocol communication for command and telemetry exchange. The vulnerability exists in the MAVLink FTP (File Transfer Protocol) subsystem, which handles remote file operations on the drone's onboard storage. The root cause is classified as CWE-670 (Incorrect Boolean Logic), specifically an inverted or incorrect logical operator in session validation checks for BurstReadFile and WriteFile operations. The flawed logic permits operations to proceed when session validation should have failed, allowing attackers to operate on invalid file handles or closed descriptors. This is a classic implementation error where the developer intended to ensure BOTH a valid session AND a valid file descriptor exist (requiring AND logic for the success path), but instead created a condition that allows either one to be invalid due to incorrect operator precedence or negation logic.

RemediationAI

Upgrade PX4 Autopilot to version 1.17.0-rc2 or later immediately. This release includes the corrected boolean logic (|| instead of &&) in MAVLink FTP session validation for BurstReadFile and WriteFile operations. For systems unable to upgrade immediately, implement network-level isolation by restricting MAVLink FTP traffic to trusted control stations only, disable remote file transfer capabilities if operationally feasible, and monitor system logs for anomalous FTP session activity or file descriptor errors. Apply firmware updates through official channels (https://github.com/PX4/PX4-Autopilot/releases) and validate integrity before deployment to production drones.

Share

CVE-2026-32713 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy