CVE-2026-32705 is a stack-based buffer overflow vulnerability identified in the PX4-Autopilot software, a widely used open-source flight control solution for drones. The vulnerability exists in the BST telemetry probe component, which handles device telemetry data. Specifically, prior to version 1.17.0-rc2, the probe writes a string terminator based on a length value (dev_name_len) provided by the connected device without performing adequate bounds checking. A malicious BST device can exploit this by reporting an excessively large dev_name_len, causing the software to write beyond the allocated stack buffer. This overflow can lead to a task crash or potentially allow an attacker to execute arbitrary code with the privileges of the PX4 flight control process. The vulnerability does not require authentication or user interaction but does require the attacker to be able to communicate with the BST telemetry interface, which may be local or network-exposed depending on deployment. The CVSS v3.1 score of 6.8 reflects a medium severity with high impact on confidentiality, integrity, and availability, but limited attack vector (physical or network proximity). The issue was publicly disclosed on March 13, 2026, and fixed in PX4-Autopilot version 1.17.0-rc2. No known exploits have been reported in the wild to date. This vulnerability highlights the risks of trusting device-provided input lengths without validation in embedded and drone control software.

The impact of CVE-2026-32705 is significant for organizations relying on PX4-Autopilot for drone operations, including commercial, research, and governmental entities. Exploitation can lead to denial of service through task crashes, disrupting drone flight control and potentially causing mission failure or physical damage. More critically, the vulnerability may allow arbitrary code execution within the flight control system, risking unauthorized control or manipulation of drone behavior. This could lead to data breaches, loss of sensitive operational data, or use of drones as attack vectors in broader cyber-physical attacks. The medium CVSS score reflects the need for attacker proximity, but the high impact on confidentiality, integrity, and availability makes this a serious concern. Organizations operating drones in critical infrastructure, defense, or commercial delivery sectors are especially at risk, as successful exploitation could compromise safety and operational integrity.

To mitigate CVE-2026-32705, organizations should immediately update PX4-Autopilot to version 1.17.0-rc2 or later, where the vulnerability is patched. Beyond patching, implement strict validation and filtering of telemetry data from BST devices to ensure length fields are within expected bounds before processing. Limit access to the BST telemetry interface by network segmentation or physical controls to prevent unauthorized devices from connecting. Employ runtime protections such as stack canaries and address space layout randomization (ASLR) where supported by the PX4 platform to reduce exploitation success. Regularly audit and monitor drone telemetry logs for anomalous device behavior or unexpected telemetry lengths. For deployments in sensitive environments, consider additional hardware authentication mechanisms for telemetry devices to prevent malicious device spoofing. Finally, maintain an incident response plan tailored to drone control system compromises.