Skip to main content

IoT CVE-2026-32743

MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-03-19 security-advisories@github.com
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 19, 2026 - 00:22 vuln.today
CVE Published
Mar 19, 2026 - 00:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

PX4 is an open-source autopilot stack for drones and unmanned vehicles. Versions 1.17.0-rc2 and below are vulnerable to Stack-based Buffer Overflow through the MavlinkLogHandler, and are triggered via MAVLink log request. The LogEntry.filepath buffer is 60 bytes, but the sscanf function parses paths from the log list file with no width specifier, allowing a path longer than 60 characters to overflow the buffer. An attacker with MAVLink link access can trigger this by first creating deeply nested directories via MAVLink FTP, then requesting the log list. The flight controller MAVLink task crashes, losing telemetry and command capability and causing DoS. This issue has been fixed in this commit: https://github.com/PX4/PX4-Autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474.

AnalysisAI

Stack-based buffer overflow in PX4 autopilot versions 1.17.0-rc2 and below allows attackers with MAVLink link access to crash the flight controller by exploiting an unconstrained sscanf operation in the MavlinkLogHandler. An attacker can trigger this by creating deeply nested directories via MAVLink FTP and then requesting the log list, causing the MAVLink task to crash and resulting in loss of telemetry and command capability. This denial of service affects drone and unmanned vehicle systems relying on vulnerable PX4 versions.

Technical ContextAI

The vulnerability resides in the MavlinkLogHandler component of PX4, which processes incoming MAVLink protocol requests for drone telemetry and command execution. The root cause (CWE-121: Stack-based Buffer Overflow) occurs in the LogEntry.filepath buffer, a 60-byte stack variable used to store file paths parsed from the log list file. The vulnerable code uses the sscanf function without a width specifier when parsing paths, allowing an attacker to write beyond the 60-byte boundary. MAVLink is the primary communication protocol used by PX4 for drone command and control, making this a network-accessible attack surface. The attack leverages MAVLink FTP functionality to first create deeply nested directory structures, which when listed via MAVLink log request, produce path strings exceeding 60 characters that overflow the fixed-size buffer.

Affected ProductsAI

PX4 autopilot stack versions 1.17.0-rc2 and all earlier versions are affected. The vulnerability has been addressed in PX4 versions following the security fix commit 616b25a280e229c24d5cf12a03dbf248df89c474. Organizations using PX4 on unmanned aerial vehicles (UAVs), autonomous ground vehicles, or other unmanned systems with MAVLink-enabled flight controllers should verify their deployment version. The fix is available via the official PX4 GitHub repository security advisory at https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-97c4-68r9-96p5.

RemediationAI

Upgrade PX4 to a version that includes the security fix from commit 616b25a280e229c24d5cf12a03dbf248df89c474 or later. This is available through the official PX4 GitHub repository (https://github.com/PX4/PX4-Autopilot). Until patching is feasible, implement network-level controls to restrict MAVLink access to trusted sources only, disable FTP functionality if not required for operations, and monitor for unexpected MAVLink log request patterns that may indicate exploitation attempts. For embedded deployments, consider deploying behind a MAVLink proxy that validates and truncates oversized file path requests before forwarding to the flight controller.

More in IoT

View all
CVE-2025-45988 CRITICAL POC
9.8 Jun 13

A command injection vulnerability (CVSS 9.8). Risk factors: public PoC available.

CVE-2026-29128 CRITICAL POC
10.0 Mar 05

Plaintext daemon credentials in IDC SFX2100 routing config files (zebra, bgpd, ospfd, ripd). CVSS 10.0. PoC available.

CVE-2025-63624 CRITICAL POC
9.8 Feb 03

Kede Electronics IoT smart water meter monitoring platform v1.0 has a SQL injection allowing attackers to compromise the

CVE-2026-25139 CRITICAL POC
9.1 Feb 04

RIOT IoT operating system has an out-of-bounds read vulnerability (CVSS 9.1) that could lead to information disclosure o

CVE-2025-5875 HIGH POC
8.8 Jun 09

A buffer overflow vulnerability in A vulnerability classified as critical (CVSS 8.8). Risk factors: public PoC available

CVE-2025-34023 HIGH POC
8.5 Jun 20

CVE-2025-34023 is a path traversal vulnerability in Karel IP1211 IP Phone's web management panel that allows remote auth

CVE-2025-48466 HIGH POC
8.1 Jun 24

CVE-2025-48466 is a security vulnerability (CVSS 8.1). Risk factors: public PoC available.

CVE-2026-27177 HIGH POC
7.2 Feb 18

MajorDoMo's unauthenticated /objects/?op=set endpoint fails to sanitize property values, allowing remote attackers to in

CVE-2025-7503 CRITICAL
10.0 Jul 11

CVE-2025-7503 is a security vulnerability (CVSS 10.0). Critical severity with potential for significant impact on affect

CVE-2025-64090 CRITICAL
10.0 Jan 09

Command injection via the hostname field allowing authenticated code execution with maximum CVSS 10.0 and scope change.

CVE-2026-1633 CRITICAL
10.0 Feb 04

Synectix LAN 232 TRIO serial-to-ethernet adapter exposes its web management interface without authentication (CVSS 10.0)

CVE-2025-40805 CRITICAL
10.0 Jan 13

An API authentication bypass allows unauthenticated attackers to impersonate legitimate users. Maximum CVSS 10.0 with sc

Share

CVE-2026-32743 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy