PX4-Autopilot is an open-source flight control software widely used in drone platforms. The vulnerability CVE-2026-32707 is a stack-based buffer overflow categorized under CWE-121, found in the tattu_can module responsible for processing CAN (Controller Area Network) frames. Specifically, prior to version 1.17.0-rc2, the multi-frame assembly loop uses an unbounded memcpy operation without proper bounds checking, allowing an attacker who can inject maliciously crafted CAN frames to overwrite stack memory. This memory corruption can lead to a crash, causing a denial-of-service (DoS) condition, and potentially other unpredictable behavior due to corrupted memory. Exploitation requires the attacker to have the capability to send arbitrary CAN frames to the device, which typically implies physical access or network access to the CAN bus. The vulnerability does not impact confidentiality but affects integrity and availability. The flaw is fixed in PX4 version 1.17.0-rc2 by adding proper bounds checking and memory handling in the tattu_can module. No public exploits have been reported, but the vulnerability poses a risk in environments where CAN injection is feasible.

The primary impact of this vulnerability is denial of service through a crash of the PX4-Autopilot system, which can disrupt drone operations. In safety-critical drone deployments, such as delivery, inspection, or military applications, this can lead to loss of control, mission failure, or physical damage. Memory corruption might also be leveraged for further exploitation, though no such exploits are known currently. Organizations relying on PX4 for drone operations could face operational downtime, safety risks, and potential financial losses. The requirement for CAN injection limits the attack surface to environments where attackers can access the CAN bus, which may be physical proximity or compromised network segments. However, as drones become more connected and integrated into critical infrastructure, the risk of remote or insider attacks increases. The medium CVSS score reflects moderate risk but with significant operational implications in affected contexts.

Organizations should upgrade PX4-Autopilot installations to version 1.17.0-rc2 or later, where the vulnerability is patched. For environments where immediate upgrade is not possible, network segmentation and strict access controls should be enforced to restrict access to the CAN bus, preventing unauthorized CAN frame injection. Employ monitoring and anomaly detection on CAN traffic to identify suspicious frame patterns indicative of exploitation attempts. Physical security controls should be enhanced to prevent unauthorized access to drone hardware and communication interfaces. Additionally, implement secure boot and firmware integrity verification to detect unauthorized modifications. Developers should review and harden any other CAN frame processing code to ensure robust bounds checking and memory safety. Regular vulnerability assessments and penetration testing targeting drone communication interfaces are recommended to identify potential attack vectors.