Description
PX4 is an open-source autopilot stack for drones and unmanned vehicles. Versions 1.17.0-rc2 and below are vulnerable to Stack-based Buffer Overflow through the MavlinkLogHandler, and are triggered via MAVLink log request. The LogEntry.filepath buffer is 60 bytes, but the sscanf function parses paths from the log list file with no width specifier, allowing a path longer than 60 characters to overflow the buffer. An attacker with MAVLink link access can trigger this by first creating deeply nested directories via MAVLink FTP, then requesting the log list. The flight controller MAVLink task crashes, losing telemetry and command capability and causing DoS. This issue has been fixed in this commit: https://github.com/PX4/PX4-Autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474.
Published: 2026-03-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch immediately
AI Analysis

Impact

PX4 Autopilot is vulnerable to a stack‑based buffer overflow in the MavlinkLogHandler. When a MAVLink log request is processed, the LogEntry.filepath buffer (60 bytes) is filled via sscanf without a width specifier, allowing an attacker to submit a path longer than 60 characters. The overflow crashes the flight controller’s MAVLink task, causing loss of telemetry and command capability and effectively denying service to the vehicle.

Affected Systems

The affected vendor is PX4 (PX4‑Autopilot). Versions 1.17.0‑rc2 and all earlier releases are vulnerable. The issue was fixed in commit 616b25a280e229c24d5cf12a03dbf248df89c474, which can be applied by upgrading to a newer PX4 release.

Risk and Exploitability

The CVSS Score of 6.5 indicates moderate severity. EPSS scoring shows exploitation probability of less than 1%, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector requires the attacker to have MAVLink link access—typically on the same network or via direct connection to the drone. Exploitation involves creating deeply nested directories over MAVLink FTP and then sending a log list request, after which the drone will crash and enter a DoS state.

Generated by OpenCVE AI on March 19, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PX4 Autopilot to a version newer than 1.17.0‑rc2 (apply the fix in commit 616b25a280e229c24d5cf12a03dbf248df89c474).
  • If an immediate upgrade is not possible, restrict or disable MAVLink log request handling on untrusted interfaces or implement firewall rules to block malicious MAVLink traffic.

Generated by OpenCVE AI on March 19, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Dronecode
Dronecode px4 Drone Autopilot
CPEs cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc2:*:*:*:*:*:*
Vendors & Products Dronecode
Dronecode px4 Drone Autopilot

Thu, 19 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Px4
Px4 px4-autopilot
Vendors & Products Px4
Px4 px4-autopilot

Wed, 18 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
Description PX4 is an open-source autopilot stack for drones and unmanned vehicles. Versions 1.17.0-rc2 and below are vulnerable to Stack-based Buffer Overflow through the MavlinkLogHandler, and are triggered via MAVLink log request. The LogEntry.filepath buffer is 60 bytes, but the sscanf function parses paths from the log list file with no width specifier, allowing a path longer than 60 characters to overflow the buffer. An attacker with MAVLink link access can trigger this by first creating deeply nested directories via MAVLink FTP, then requesting the log list. The flight controller MAVLink task crashes, losing telemetry and command capability and causing DoS. This issue has been fixed in this commit: https://github.com/PX4/PX4-Autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474.
Title PX4 Autopilot: Stack-based Buffer Overflow via Oversized Path Input in MAVLink Log Request Handling
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Dronecode Px4 Drone Autopilot
Px4 Px4-autopilot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T15:41:04.883Z

Reserved: 2026-03-13T15:02:00.629Z

Link: CVE-2026-32743

cve-icon Vulnrichment

Updated: 2026-03-19T15:40:50.317Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T00:16:18.177

Modified: 2026-03-19T18:00:32.280

Link: CVE-2026-32743

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:49Z

Weaknesses