CVE-2026-32705 is a stack-based buffer overflow vulnerability identified in the PX4-Autopilot software, a widely used open-source flight control solution for drones. The vulnerability exists in the BST telemetry probe component prior to version 1.17.0-rc2. Specifically, the probe writes a string terminator based on a length value (dev_name_len) provided by the connected device without performing adequate bounds checking. If a malicious BST device reports an excessively large dev_name_len, it can cause a stack overflow in the driver code. This overflow can lead to a task crash, resulting in denial of service, or potentially allow an attacker to execute arbitrary code with the privileges of the affected process. The vulnerability is classified under CWE-121 (stack-based buffer overflow). The CVSS v3.1 base score is 6.8, reflecting a medium severity level with high impact on confidentiality, integrity, and availability. The attack vector is physical or local network access to the telemetry interface, with no privileges or user interaction required. The flaw has been addressed in PX4-Autopilot version 1.17.0-rc2 by implementing proper bounds checking on the dev_name_len value. No public exploits or active exploitation have been reported to date, but the vulnerability poses a risk to drone operations relying on vulnerable PX4 versions.

The primary impact of CVE-2026-32705 is the potential for denial of service through task crashes in the PX4 flight control system, which can disrupt drone operations and compromise mission-critical functions. More severely, the stack overflow may enable arbitrary code execution, allowing attackers to take control of the autopilot software. This could lead to unauthorized manipulation of drone flight behavior, data exfiltration, or use of the drone as a pivot point for further network attacks. Given the critical role of PX4 in drone navigation and control, exploitation could result in physical damage, safety hazards, and loss of sensitive data. Organizations deploying PX4-based drones in commercial, industrial, or defense contexts face risks to operational continuity, safety, and confidentiality. The requirement for a malicious BST telemetry device to trigger the vulnerability somewhat limits remote exploitation but does not eliminate risk, especially in environments where physical access or supply chain compromise is possible.

To mitigate CVE-2026-32705, organizations should immediately upgrade PX4-Autopilot installations to version 1.17.0-rc2 or later, where the vulnerability is fixed. Until upgrades are applied, restrict access to the BST telemetry interface to trusted devices only, employing physical security controls and network segmentation to prevent unauthorized device connections. Implement strict device authentication and validation mechanisms for telemetry probes to detect and block malformed or malicious inputs. Conduct thorough supply chain verification to ensure telemetry devices are from trusted sources. Additionally, monitor drone flight control logs and telemetry data for anomalies indicative of exploitation attempts or crashes. Employ runtime protections such as stack canaries and address space layout randomization (ASLR) where supported by the PX4 platform to reduce exploitation likelihood. Finally, incorporate vulnerability scanning and patch management into drone software lifecycle processes to promptly address future security issues.