Description
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2.
Published: 2026-03-13
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

PX4 Autopilot’s MAVLink FTP session validation implements incorrect boolean logic, allowing BurstReadFile and WriteFile operations to execute with invalid or closed file descriptors. An unauthenticated attacker can exploit this flaw to place the FTP subsystem into an inconsistent state, bypassing session isolation checks. This may lead to unexpected behavior, data corruption, or system crash, impacting integrity and availability of the autopilot software.

Affected Systems

The vulnerability affects the PX4 Autopilot firmware, specifically all releases prior to 1.17.0-rc2. This includes the alpha1, beta1, and rc1 variants of version 1.17.0, as well as any earlier releases that contain the same logic error.

Risk and Exploitability

The CVSS score is 4.3, indicating moderate risk, and the EPSS score is below 1%, suggesting low likelihood of current exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires the ability to send MAVLink FTP commands to the flight stack, which is typically available to any entity that can communicate with the drone’s network interface. No authentication is required, so the attack is feasible in a wide range of operational environments.

Generated by OpenCVE AI on March 17, 2026 at 16:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PX4 Autopilot to version 1.17.0-rc2 or later

Generated by OpenCVE AI on March 17, 2026 at 16:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Dronecode
Dronecode px4 Drone Autopilot
CPEs cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*
Vendors & Products Dronecode
Dronecode px4 Drone Autopilot

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Px4
Px4 px4-autopilot
Vendors & Products Px4
Px4 px4-autopilot

Fri, 13 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2.
Title PX4 Autopilot MAVLink FTP Session Validation Logic Error Allows Operations on Invalid File Descriptors
Weaknesses CWE-670
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Dronecode Px4 Drone Autopilot
Px4 Px4-autopilot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T15:11:04.784Z

Reserved: 2026-03-13T14:33:42.824Z

Link: CVE-2026-32713

cve-icon Vulnrichment

Updated: 2026-03-17T15:10:53.382Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T14:19:42.313

Modified: 2026-03-16T19:00:42.000

Link: CVE-2026-32713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:18Z

Weaknesses