IoT
CVE-2026-32743
MEDIUM
Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
PX4 is an open-source autopilot stack for drones and unmanned vehicles. Versions 1.17.0-rc2 and below are vulnerable to Stack-based Buffer Overflow through the MavlinkLogHandler, and are triggered via MAVLink log request. The LogEntry.filepath buffer is 60 bytes, but the sscanf function parses paths from the log list file with no width specifier, allowing a path longer than 60 characters to overflow the buffer. An attacker with MAVLink link access can trigger this by first creating deeply nested directories via MAVLink FTP, then requesting the log list. The flight controller MAVLink task crashes, losing telemetry and command capability and causing DoS. This issue has been fixed in this commit: https://github.com/PX4/PX4-Autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474.
AnalysisAI
Stack-based buffer overflow in PX4 autopilot versions 1.17.0-rc2 and below allows attackers with MAVLink link access to crash the flight controller by exploiting an unconstrained sscanf operation in the MavlinkLogHandler. An attacker can trigger this by creating deeply nested directories via MAVLink FTP and then requesting the log list, causing the MAVLink task to crash and resulting in loss of telemetry and command capability. This denial of service affects drone and unmanned vehicle systems relying on vulnerable PX4 versions.
Technical ContextAI
The vulnerability resides in the MavlinkLogHandler component of PX4, which processes incoming MAVLink protocol requests for drone telemetry and command execution. The root cause (CWE-121: Stack-based Buffer Overflow) occurs in the LogEntry.filepath buffer, a 60-byte stack variable used to store file paths parsed from the log list file. The vulnerable code uses the sscanf function without a width specifier when parsing paths, allowing an attacker to write beyond the 60-byte boundary. MAVLink is the primary communication protocol used by PX4 for drone command and control, making this a network-accessible attack surface. The attack leverages MAVLink FTP functionality to first create deeply nested directory structures, which when listed via MAVLink log request, produce path strings exceeding 60 characters that overflow the fixed-size buffer.
Affected ProductsAI
PX4 autopilot stack versions 1.17.0-rc2 and all earlier versions are affected. The vulnerability has been addressed in PX4 versions following the security fix commit 616b25a280e229c24d5cf12a03dbf248df89c474. Organizations using PX4 on unmanned aerial vehicles (UAVs), autonomous ground vehicles, or other unmanned systems with MAVLink-enabled flight controllers should verify their deployment version. The fix is available via the official PX4 GitHub repository security advisory at https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-97c4-68r9-96p5.
RemediationAI
Upgrade PX4 to a version that includes the security fix from commit 616b25a280e229c24d5cf12a03dbf248df89c474 or later. This is available through the official PX4 GitHub repository (https://github.com/PX4/PX4-Autopilot). Until patching is feasible, implement network-level controls to restrict MAVLink access to trusted sources only, disable FTP functionality if not required for operations, and monitor for unexpected MAVLink log request patterns that may indicate exploitation attempts. For embedded deployments, consider deploying behind a MAVLink proxy that validates and truncates oversized file path requests before forwarding to the flight controller.
A command injection vulnerability (CVSS 9.8). Risk factors: public PoC available.
Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.
Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the
RIOT IoT operating system has an out-of-bounds read vulnerability (CVSS 9.1) that could lead to information disclosure o
A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available
CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote auth
CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.
MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to in
CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affect
Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.
Synectix LAN 232 TRIO serial-to-ethernet adapter exposes its web management interface without authentication (CVSS 10.0)
An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with sc
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today