CVE-2026-32713
MEDIUMCVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2Description
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2.
Analysis
PX4 Autopilot prior to version 1.17.0-rc2 contains a boolean logic error in MAVLink FTP session validation that uses AND (&&) instead of OR (||) operators, allowing attackers to bypass session isolation checks and execute file operations on invalid or closed file descriptors. An unauthenticated attacker on the adjacent network can exploit this vulnerability to destabilize the FTP subsystem, trigger denial-of-service conditions through invalid file descriptor operations, and potentially compromise the integrity of drone flight control systems. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today