Px4 Autopilot
CVE-2026-32713
MEDIUM
Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2.
AnalysisAI
PX4 Autopilot prior to version 1.17.0-rc2 contains a boolean logic error in MAVLink FTP session validation that uses AND (&&) instead of OR (||) operators, allowing attackers to bypass session isolation checks and execute file operations on invalid or closed file descriptors. An unauthenticated attacker on the adjacent network can exploit this vulnerability to destabilize the FTP subsystem, trigger denial-of-service conditions through invalid file descriptor operations, and potentially compromise the integrity of drone flight control systems. While the CVSS score of 4.3 indicates low to moderate severity with availability impact, the safety-critical nature of autopilot systems and the unauthenticated attack vector warrant immediate attention.
Technical ContextAI
PX4 Autopilot is an open-source flight control software stack for autonomous drones that implements MAVLink protocol communication for command and telemetry exchange. The vulnerability exists in the MAVLink FTP (File Transfer Protocol) subsystem, which handles remote file operations on the drone's onboard storage. The root cause is classified as CWE-670 (Incorrect Boolean Logic), specifically an inverted or incorrect logical operator in session validation checks for BurstReadFile and WriteFile operations. The flawed logic permits operations to proceed when session validation should have failed, allowing attackers to operate on invalid file handles or closed descriptors. This is a classic implementation error where the developer intended to ensure BOTH a valid session AND a valid file descriptor exist (requiring AND logic for the success path), but instead created a condition that allows either one to be invalid due to incorrect operator precedence or negation logic.
RemediationAI
Upgrade PX4 Autopilot to version 1.17.0-rc2 or later immediately. This release includes the corrected boolean logic (|| instead of &&) in MAVLink FTP session validation for BurstReadFile and WriteFile operations. For systems unable to upgrade immediately, implement network-level isolation by restricting MAVLink FTP traffic to trusted control stations only, disable remote file transfer capabilities if operationally feasible, and monitor system logs for anomalous FTP session activity or file descriptor errors. Apply firmware updates through official channels (https://github.com/PX4/PX4-Autopilot/releases) and validate integrity before deployment to production drones.
More in Px4 Autopilot
View allStack overflow vulnerability in PX4 autopilot drone flight control software (versions prior to 1.17.0-rc2) where the Zen
Buffer overflow vulnerability in PX4 autopilot drone firmware versions before 1.17.0-rc2 that allows adjacent network at
PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that
An unauthenticated path traversal vulnerability in PX4 Autopilot's MAVLink FTP implementation (CWE-22) allows any MAVLin
PX4 Autopilot versions prior to 1.17.0-rc1 contain a heap-use-after-free vulnerability in the MavlinkShell::available()
PX4 autopilot versions prior to 1.17.0-rc2 contain an unbounded memcpy vulnerability in the tattu_can module that allows
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today