CVE-2026-32705 Overview
CVE-2026-32705 is a stack overflow vulnerability in the PX4 autopilot flight control software affecting the BST (Bluetooth Serial Telemetry) driver. The vulnerability exists in how the BST telemetry probe handles device-provided length values when writing string terminators. A malicious BST device can report an oversized dev_name_len value without proper bounds checking, causing a stack overflow in the driver. This can result in a task crash or potentially enable arbitrary code execution on the flight controller.
Critical Impact
Physical access to the drone's BST interface could allow an attacker to crash the flight controller or achieve code execution, potentially taking control of the aircraft during flight operations.
Affected Products
- Dronecode PX4 Drone Autopilot versions prior to 1.17.0-rc2
- Dronecode PX4 Drone Autopilot version 1.17.0-alpha1
- Dronecode PX4 Drone Autopilot version 1.17.0-beta1
- Dronecode PX4 Drone Autopilot version 1.17.0-rc1
Discovery Timeline
- 2026-03-16 - CVE-2026-32705 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-32705
Vulnerability Analysis
This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow). The flaw resides in the BST telemetry driver where device-reported length values are used directly without validation. When a BST device connects and reports its device name length (dev_name_len), this value is trusted and used to write a string terminator to the stack. Without bounds checking, an attacker-controlled device can supply an arbitrarily large length value that causes the write operation to exceed the allocated stack buffer.
The physical attack vector requires direct access to the BST interface on the drone, but once exploited, the impact is severe. The vulnerability enables complete compromise of confidentiality, integrity, and availability of the flight controller system, though the attack scope remains unchanged (no cross-component impact).
Root Cause
The root cause is improper input validation in the BST driver's device enumeration routine. The driver accepts the dev_name_len field from the connected BST device without verifying that the value falls within the bounds of the allocated stack buffer. This trust of external input violates secure coding principles for embedded systems where peripheral devices may be malicious or compromised.
Attack Vector
Exploitation requires physical access to the target drone's BST telemetry interface. An attacker would need to connect a malicious BST device that has been programmed to report an oversized device name length value. When the PX4 autopilot driver probes this device during initialization or reconnection, it processes the malformed length field and writes beyond the stack buffer boundary.
The attack flow involves:
- Attacker connects a crafted malicious BST device to the drone's telemetry port
- The PX4 BST driver initiates device enumeration and requests device information
- The malicious device responds with an oversized dev_name_len value
- The driver uses this length to write a string terminator, overflowing the stack buffer
- This overflow can overwrite return addresses or other critical stack data, leading to task crash or code execution
Detection Methods for CVE-2026-32705
Indicators of Compromise
- Unexpected flight controller crashes or reboots during BST device connection events
- Anomalous behavior in the BST driver task or related telemetry functions
- System logs showing stack corruption or memory access violations in BST-related code paths
- Unexplained changes in flight behavior after physical maintenance or BST device swaps
Detection Strategies
- Monitor PX4 system logs for crash dumps or watchdog resets associated with BST driver tasks
- Implement hardware tamper detection for telemetry ports and BST connections
- Review firmware integrity to detect any unauthorized code execution consequences
- Audit physical access logs to correlate maintenance events with anomalous behavior
Monitoring Recommendations
- Enable detailed logging for all peripheral device enumeration events
- Implement runtime stack canaries if supported by the hardware platform to detect overflow attempts
- Monitor for unusual patterns in BST device connection and disconnection cycles
- Establish baseline behavior metrics for flight controller operations to identify deviations
How to Mitigate CVE-2026-32705
Immediate Actions Required
- Upgrade PX4 Autopilot to version 1.17.0-rc2 or later immediately
- Restrict physical access to drones and their telemetry interfaces
- Audit all connected BST devices and verify their authenticity before use
- Implement physical security controls for drone storage and maintenance areas
Patch Information
The vulnerability has been fixed in PX4 Autopilot version 1.17.0-rc2. The patch adds proper bounds checking for the dev_name_len field before using it to write the string terminator, preventing the stack overflow condition. Users should update their firmware through the standard PX4 update process.
For additional details, refer to the GitHub Security Advisory GHSA-79mp-34pp-2f3f.
Workarounds
- If immediate patching is not possible, disable or physically disconnect BST telemetry functionality until the update can be applied
- Implement strict physical access controls to prevent unauthorized device connections
- Use only verified and trusted BST devices from the original equipment manufacturer
- Consider using alternative telemetry solutions that do not rely on the vulnerable BST driver until patched
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
