CVE-2026-32708 in PX4-Autopilot
Summary
by MITRE • 03/16/2026
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, the Zenoh uORB subscriber allocates a stack VLA directly from the incoming payload length without bounds. A remote Zenoh publisher can send an oversized fragmented message to force an unbounded stack allocation and copy, causing a stack overflow and crash of the Zenoh bridge task. This vulnerability is fixed in 1.17.0-rc2.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/21/2026
The PX4 autopilot system represents a critical flight control solution widely deployed in unmanned aerial vehicles and drone applications where reliable operation is paramount for safety and mission success. This vulnerability affects the Zenoh uORB (Unified Robotics Bus) subscriber component that facilitates communication between various system components within the autopilot framework. The affected system operates in environments where real-time processing and robust error handling are essential for maintaining flight stability and preventing catastrophic failures.
The technical flaw manifests in the Zenoh uORB subscriber implementation where stack-based variable length arrays (VLAs) are allocated directly from incoming payload lengths without proper bounds checking or validation. This design pattern creates a direct mapping between untrusted external data and internal stack memory allocation, allowing an attacker to manipulate the allocation size through crafted messages. The vulnerability specifically affects the Zenoh bridge task which processes incoming messages from remote publishers, making it susceptible to remote exploitation through network-based attacks.
The operational impact of this vulnerability extends beyond simple system crashes to potentially compromise flight safety and mission integrity. When a remote attacker sends an oversized fragmented message, the system allocates an unbounded amount of stack memory based on the malicious payload size, leading to stack overflow conditions that can cause the Zenoh bridge task to terminate unexpectedly. This failure mode can result in communication breakdowns between critical system components, potentially leading to loss of control or complete system failure during flight operations. The vulnerability affects all PX4 autopilot systems running versions prior to 1.17.0-rc2, creating a widespread exposure across deployed drone fleets.
The fix implemented in version 1.17.0-rc2 addresses the core issue by introducing proper bounds checking and validation of payload lengths before any stack allocation occurs. This remediation aligns with established security principles from the CWE (Common Weakness Enumeration) catalog, specifically addressing CWE-129, which covers insufficient validation of length fields, and CWE-787, which covers out-of-bounds write vulnerabilities. The mitigation strategy follows recommended practices from the ATT&CK framework's defense evasion techniques, ensuring that system components properly validate input data before processing. Organizations should prioritize upgrading to the patched version immediately, as the vulnerability represents a significant risk to operational drone systems where reliability and safety are non-negotiable requirements. The fix also incorporates defensive programming practices that prevent similar issues in future implementations, strengthening the overall security posture of the PX4 autopilot ecosystem.