CVE-2026-32708 Overview
CVE-2026-32708 is a stack-based buffer overflow [CWE-121] in the PX4 Autopilot flight control software for drones. The Zenoh uORB subscriber allocates a stack variable-length array (VLA) directly from the incoming payload length without bounds checking. A remote Zenoh publisher on the adjacent network can transmit an oversized fragmented message to force an unbounded stack allocation and copy. The result is a stack overflow that crashes the Zenoh bridge task on the affected drone. The flaw impacts PX4 Autopilot versions prior to 1.17.0-rc2, including 1.17.0-alpha1, 1.17.0-beta1, and 1.17.0-rc1.
Critical Impact
An authenticated attacker on the adjacent network can crash the Zenoh bridge task on a PX4-controlled drone, causing loss of inter-process telemetry and potential flight disruption.
Affected Products
- Dronecode PX4 Autopilot versions prior to 1.17.0-rc2
- PX4 Autopilot 1.17.0-alpha1 and 1.17.0-beta1
- PX4 Autopilot 1.17.0-rc1
Discovery Timeline
- 2026-03-16 - CVE-2026-32708 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-32708
Vulnerability Analysis
PX4 Autopilot integrates Zenoh, a publish-subscribe networking protocol, to bridge external messages into its uORB inter-process communication layer. The Zenoh uORB subscriber processes incoming messages by allocating a stack-based variable-length array sized according to the attacker-controlled payload length field. The code path performs no upper bound check before the allocation and the subsequent copy operation. When a malicious publisher transmits a fragmented Zenoh message advertising an oversized payload, the subscriber attempts to allocate a VLA far larger than the available stack region. The allocation and copy overrun the task stack, corrupting adjacent memory and crashing the Zenoh bridge task. The fix in version 1.17.0-rc2 introduces explicit length validation against a fixed maximum before any stack allocation occurs.
Root Cause
The root cause is improper input validation on the payload length field of incoming Zenoh messages. The Zenoh uORB subscriber trusts attacker-supplied size data when sizing a stack VLA, violating safe coding practice for boundary checks [CWE-121].
Attack Vector
The attack requires adjacent network access and low privileges on the Zenoh fabric. An attacker registered as a Zenoh publisher on the same network can craft a fragmented message with an inflated payload length. No user interaction on the drone side is needed. Successful exploitation crashes the bridge task and disrupts data flow between Zenoh and uORB subscribers.
No public proof-of-concept exploit has been published. Refer to the PX4 GitHub Security Advisory GHSA-69g4-hcqf-j45p for vendor technical details.
Detection Methods for CVE-2026-32708
Indicators of Compromise
- Unexpected termination or restart of the Zenoh bridge task in PX4 system logs
- Stack corruption traces or hard fault entries in the autopilot crash log
- Inbound Zenoh fragmented messages with payload length fields exceeding normal operational sizes
Detection Strategies
- Monitor PX4 dmesg output and ULog files for repeated crashes of the Zenoh bridge process
- Inspect Zenoh network traffic for fragmented frames with anomalously large declared payload sizes
- Correlate sudden uORB topic dropouts with timestamps of inbound Zenoh sessions from unauthorized peers
Monitoring Recommendations
- Enable verbose logging on the Zenoh router and archive session metadata for forensic review
- Track the membership of the Zenoh fabric and alert on new or unrecognized publishers joining the network
- Capture packet traces at the ground control station to baseline normal Zenoh payload size distribution
How to Mitigate CVE-2026-32708
Immediate Actions Required
- Upgrade PX4 Autopilot to version 1.17.0-rc2 or later on all affected airframes
- Restrict Zenoh bridge exposure to trusted network segments only, disabling discovery on untrusted interfaces
- Audit Zenoh access control lists to confirm only authorized publishers can connect to drone subscribers
Patch Information
The vulnerability is fixed in PX4 Autopilot 1.17.0-rc2. The patch adds bounds enforcement on the incoming payload length in the Zenoh uORB subscriber before any stack allocation. See the PX4 GitHub Security Advisory GHSA-69g4-hcqf-j45p for patch commit references.
Workarounds
- Disable the Zenoh uORB bridge module if it is not required for the mission profile
- Deploy Zenoh on an isolated VLAN or encrypted overlay accessible only to authenticated ground control endpoints
- Configure network-layer filtering to drop oversized Zenoh fragments at the edge of the drone control network
# Configuration example: disable Zenoh bridge at PX4 startup
# Edit the PX4 startup script (e.g., etc/init.d/rc.mc_apps) and comment out:
# zenoh start
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
