CVE-2026-32708 is a stack-based buffer overflow vulnerability identified in the PX4-Autopilot software, a widely used open-source flight control solution for drones. The vulnerability specifically resides in the Zenoh uORB subscriber module, which handles communication messages. Prior to version 1.17.0-rc2, this component allocates a variable-length array (VLA) on the stack directly based on the length of incoming payloads without enforcing any upper bounds. A remote Zenoh publisher can exploit this by sending an oversized fragmented message, causing the subscriber to allocate an excessively large stack buffer and copy data beyond the intended limits. This results in a stack overflow condition that crashes the Zenoh bridge task, potentially leading to denial of service and enabling further exploitation to compromise system confidentiality and integrity. The vulnerability requires low-level privileges (local access) but no user interaction, and the attack vector is local (AV:L). The CVSS v3.1 base score is 7.8, reflecting high severity due to the combined impact on confidentiality, integrity, and availability. The flaw was publicly disclosed on March 13, 2026, and has been addressed in PX4-Autopilot version 1.17.0-rc2. No known exploits in the wild have been reported to date.

The vulnerability poses significant risks to organizations deploying PX4-Autopilot in drone operations, including commercial, industrial, and research applications. Exploitation can cause denial of service by crashing critical flight control components, potentially leading to loss of drone control and mission failure. Furthermore, the stack overflow may be leveraged to execute arbitrary code, compromising the confidentiality and integrity of the drone’s systems and data. This could enable attackers to manipulate flight behavior, intercept sensitive telemetry, or disrupt drone fleets. Given the increasing reliance on drones for logistics, surveillance, agriculture, and defense, such disruptions could have operational, financial, and safety consequences. The requirement for local access limits remote exploitation but insider threats or compromised local networks could facilitate attacks. The vulnerability’s presence in an open-source autopilot framework means that a broad range of drone manufacturers and operators using PX4-Autopilot versions prior to 1.17.0-rc2 are at risk.

Organizations should immediately upgrade PX4-Autopilot to version 1.17.0-rc2 or later, where the vulnerability is fixed. Until upgrades are applied, restrict access to the Zenoh communication interface to trusted and authenticated entities only, minimizing exposure to untrusted local users or devices. Implement network segmentation and strict access controls to prevent unauthorized local access to drone control systems. Conduct thorough code reviews and fuzz testing on any custom extensions or integrations with the Zenoh uORB subscriber to detect similar unsafe memory operations. Employ runtime protections such as stack canaries, address space layout randomization (ASLR), and control flow integrity (CFI) where supported by the platform to mitigate exploitation impact. Monitor drone system logs for unusual crashes or communication anomalies indicative of attempted exploitation. Finally, maintain an incident response plan tailored to drone operational environments to quickly address potential compromises.