CVE-2026-32743 Overview
CVE-2026-32743 is a stack-based buffer overflow vulnerability affecting PX4, the widely-used open-source autopilot stack for drones and unmanned vehicles. The vulnerability exists in the MavlinkLogHandler component and can be triggered via MAVLink log requests. The LogEntry.filepath buffer is limited to 60 bytes, but the sscanf function parses paths from the log list file without a width specifier, allowing paths longer than 60 characters to overflow the buffer.
An attacker with MAVLink link access can exploit this vulnerability by first creating deeply nested directories via MAVLink FTP, then requesting the log list. Successful exploitation causes the flight controller MAVLink task to crash, resulting in loss of telemetry and command capability, leading to a Denial of Service (DoS) condition.
Critical Impact
Exploitation causes the flight controller MAVLink task to crash, resulting in complete loss of telemetry and command capability for drones and unmanned vehicles, potentially causing loss of control during flight operations.
Affected Products
- Dronecode PX4 Drone Autopilot versions up to and including 1.17.0-rc2
- Dronecode PX4 Drone Autopilot 1.17.0-alpha1
- Dronecode PX4 Drone Autopilot 1.17.0-beta1
- Dronecode PX4 Drone Autopilot 1.17.0-rc1
Discovery Timeline
- 2026-03-19 - CVE-2026-32743 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-32743
Vulnerability Analysis
This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow). The flaw resides in the MAVLink log handler's filepath parsing logic within the PX4 autopilot firmware. The vulnerability is exploitable from an adjacent network, meaning an attacker must have access to the MAVLink communication link to the drone or unmanned vehicle. While the attack complexity is low and requires no privileges or user interaction, the impact is limited to availability—causing a denial of service rather than enabling code execution or data exfiltration.
The attack requires two stages: first, the attacker uses MAVLink FTP capabilities to create deeply nested directory structures that exceed the 60-byte filepath buffer. Then, when the log list is requested, the sscanf function reads these overly long paths without bounds checking, overwriting adjacent stack memory and causing the MAVLink task to crash.
Root Cause
The root cause is the unsafe use of sscanf without a width specifier when parsing filepath strings from the log list file. The LogEntry.filepath buffer is allocated at 60 bytes on the stack, but the parsing function does not enforce this limit when reading paths. This classic C programming error allows arbitrarily long paths to overflow the fixed-size buffer, corrupting stack memory and causing undefined behavior—in this case, a task crash.
Attack Vector
The attack requires adjacent network access to the MAVLink communication link. The attacker exploits the vulnerability through the following sequence:
- Establish MAVLink connection - Connect to the drone's MAVLink interface
- Create malicious directory structure - Use MAVLink FTP to create deeply nested directories exceeding 60 characters in total path length
- Trigger log enumeration - Request the log list via MAVLink, causing the vulnerable sscanf to parse the oversized filepath
- Cause denial of service - The stack overflow crashes the MAVLink task, severing telemetry and command capabilities
The security patch introduces a width specifier for sscanf and adds compile-time validation to ensure the width specifier is always less than the buffer size:
// Security patch in src/modules/mavlink/mavlink_log_handler.h
// Source: https://github.com/PX4/PX4-Autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474
****************************************************************************/
#pragma once
#include <perf/perf_counter.h>
#include "mavlink_bridge_header.h"
+#ifdef __PX4_NUTTX
+#define PX4LOG_REGULAR_FILE DTYPE_FILE
+#define PX4LOG_DIRECTORY DTYPE_DIRECTORY
+#define PX4_MAX_FILEPATH CONFIG_PATH_MAX
+#define PX4_MAX_FILEPATH_SCANF 255
+#else
+#ifndef PATH_MAX
+#define PATH_MAX 1024 // maximum on macOS
+#endif
+#define PX4LOG_REGULAR_FILE DT_REG
+#define PX4LOG_DIRECTORY DT_DIR
+#define PX4_MAX_FILEPATH PATH_MAX
+#define PX4_MAX_FILEPATH_SCANF 1023
+#endif
class Mavlink;
class MavlinkLogHandler
// Security patch in src/modules/mavlink/mavlink_log_handler.cpp
// Source: https://github.com/PX4/PX4-Autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474
#include <dirent.h>
#include <sys/stat.h>
+static_assert(PX4_MAX_FILEPATH_SCANF < PX4_MAX_FILEPATH,
+ "sscanf width specifier must be less than filepath buffer size");
static constexpr int MAX_BYTES_BURST = 256 * 1024;
static const char *kLogListFilePath = PX4_STORAGEDIR "/logdata.txt";
static const char *kLogListFilePathTemp = PX4_STORAGEDIR "/$log$.txt";
static const char *kLogDir = PX4_STORAGEDIR "/log";
MavlinkLogHandler::MavlinkLogHandler(Mavlink &mavlink)
: _mavlink(mavlink)
{}
Detection Methods for CVE-2026-32743
Indicators of Compromise
- Unexpected crashes or restarts of the MAVLink task on PX4 flight controllers
- Loss of telemetry connectivity during flight operations without apparent cause
- Presence of unusually deep or long directory paths in the log storage directory (/log)
- MAVLink FTP activity creating nested directories with long path names
- Flight controller log entries showing stack overflow or memory corruption errors
Detection Strategies
- Monitor MAVLink communication for suspicious FTP commands creating deeply nested directories
- Implement network segmentation and access controls on MAVLink communication links
- Configure anomaly detection for unusual directory creation patterns via MAVLink FTP
- Review flight controller logs for crash events in the MAVLink handler module
Monitoring Recommendations
- Enable verbose logging on PX4 systems to capture MAVLink FTP operations
- Deploy network monitoring on MAVLink communication channels to detect unauthorized access
- Implement alerting for flight controller task crashes or unexpected reboots
- Audit log directory structures periodically for suspicious deep nesting
How to Mitigate CVE-2026-32743
Immediate Actions Required
- Update PX4 Drone Autopilot firmware to a version containing commit 616b25a280e229c24d5cf12a03dbf248df89c474 or later
- Restrict MAVLink link access to trusted ground control stations and operators only
- Implement network-level access controls to limit who can establish MAVLink connections
- Monitor for suspicious MAVLink FTP activity on all deployed drones and unmanned vehicles
Patch Information
The vulnerability has been fixed in commit 616b25a280e229c24d5cf12a03dbf248df89c474. The patch introduces proper width specifiers for sscanf operations and adds compile-time assertions to ensure buffer safety. Users should update to the latest PX4 release that includes this fix.
For detailed patch information, refer to the GitHub Security Advisory GHSA-97c4-68r9-96p5 and the commit details.
Workarounds
- Disable MAVLink FTP functionality if not required for operations
- Implement strict access controls on the MAVLink communication interface
- Use encrypted and authenticated MAVLink connections where supported
- Physically isolate drone ground control stations from untrusted networks
# Configuration example: Restrict MAVLink access on PX4
# Note: Specific configuration depends on your deployment
# Ensure MAVLink authentication is enabled (MAVLink 2)
param set MAV_PROTO_VER 2
# Restrict MAVLink broadcast to specific interfaces
param set MAV_BROADCAST 0
# Review and limit enabled MAVLink streams
mavlink status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
