CVE-2026-32707 is a medium-severity stack-based buffer overflow vulnerability identified in the PX4-Autopilot, an open-source flight control software widely used in drones. The vulnerability resides in the tattu_can component, specifically in its multi-frame assembly loop, where an unbounded memcpy operation copies data from incoming CAN frames to a stack buffer without proper bounds checking. This flaw allows an attacker capable of injecting malicious CAN frames to overwrite stack memory, leading to memory corruption and potential program crashes. Since the vulnerability is triggered by processing crafted CAN frames, exploitation requires access to the drone's CAN bus or the ability to inject frames remotely if the CAN network is exposed. The impact is primarily denial-of-service due to crashes and corrupted memory, with no direct confidentiality loss. The vulnerability affects all PX4-Autopilot versions prior to 1.17.0-rc2 where tattu_can is enabled. The PX4 development team addressed this issue by introducing proper bounds checking and limiting the memcpy operation in version 1.17.0-rc2. There are no known exploits in the wild at this time, but the vulnerability poses a risk to drone operations, especially in environments where attackers can access the CAN bus. The CVSS v3.1 base score is 5.2, reflecting medium severity, with attack vector as physical (AV:P), low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, limited integrity impact, and high availability impact.

The primary impact of CVE-2026-32707 is on the availability and integrity of drone flight control systems using vulnerable PX4-Autopilot versions with the tattu_can module enabled. Successful exploitation can cause drones to crash or behave unpredictably due to memory corruption, potentially leading to loss of control or mission failure. This can disrupt commercial drone operations, including delivery services, aerial surveying, agriculture monitoring, and critical infrastructure inspection. In military or government drone deployments, such disruptions could have strategic consequences. Since the vulnerability requires CAN frame injection, attackers with physical or network access to the CAN bus pose the greatest risk. The lack of confidentiality impact reduces the risk of data leakage, but the integrity and availability consequences can lead to safety hazards and operational downtime. Organizations relying on PX4-based drones should consider the operational risks of unpatched systems, especially in hostile or unsecured environments.

To mitigate CVE-2026-32707, organizations should immediately upgrade PX4-Autopilot to version 1.17.0-rc2 or later, where the vulnerability is patched. If upgrading is not immediately feasible, disabling the tattu_can module can reduce exposure, provided that this does not impair critical functionality. Network segmentation and physical security controls should be enforced to prevent unauthorized access to the CAN bus, limiting the ability of attackers to inject malicious frames. Employing CAN bus message authentication or encryption, if supported, can further reduce risk. Regularly auditing drone firmware versions and configurations will help ensure vulnerable versions are not in use. Additionally, monitoring drone behavior for anomalies indicative of memory corruption or crashes can provide early warning of exploitation attempts. Developers should review other CAN-related code for similar unbounded memory operations to prevent future vulnerabilities.