CVE-2026-32708 is a stack-based buffer overflow vulnerability identified in the PX4-Autopilot, an open-source flight control software widely used in drone platforms. The vulnerability is located in the Zenoh uORB subscriber component, which handles inter-module communication by subscribing to messages. Prior to version 1.17.0-rc2, the subscriber allocates a variable-length array (VLA) on the stack directly based on the length of incoming payloads without enforcing any upper bounds. A remote Zenoh publisher can exploit this by sending an oversized fragmented message, causing the subscriber to allocate an excessively large stack buffer and copy the payload into it. This leads to a stack overflow condition, resulting in a crash of the Zenoh bridge task and potential execution of arbitrary code. The vulnerability is classified under CWE-121 (stack-based buffer overflow). The CVSS v3.1 base score is 7.8, reflecting high severity due to the potential for full compromise of confidentiality, integrity, and availability. Exploitation requires local privileges (AV:L) but no user interaction (UI:N). No known exploits are currently reported in the wild. The issue is resolved in PX4-Autopilot version 1.17.0-rc2 by implementing proper bounds checking on the payload length before stack allocation.

This vulnerability poses significant risks to organizations deploying PX4-Autopilot in drone operations, including commercial, industrial, and research applications. Exploitation can lead to denial of service via crashes of critical flight control components, potentially causing drone malfunctions or loss of control. More severe impacts include the possibility of arbitrary code execution, which could allow attackers to manipulate drone behavior, intercept or alter telemetry data, or disrupt mission-critical operations. Given the increasing reliance on drones for delivery, surveillance, agriculture, and defense, such compromises could result in operational failures, safety hazards, data breaches, and financial losses. The requirement for local privileges limits remote exploitation but insider threats or compromised local networks could facilitate attacks. The vulnerability undermines the confidentiality, integrity, and availability of drone control systems, making it a critical concern for organizations with drone fleets or autonomous aerial systems.

Organizations should immediately upgrade PX4-Autopilot installations to version 1.17.0-rc2 or later, where the vulnerability is patched. Until upgrades can be applied, restrict access to systems running PX4-Autopilot to trusted users and networks to reduce the risk of local exploitation. Implement network segmentation and strict access controls around drone control infrastructure to prevent unauthorized local access. Monitor logs and system behavior for signs of crashes or anomalous activity related to the Zenoh bridge task. Conduct code audits and penetration testing focusing on inter-module communication components like Zenoh uORB subscribers. Consider deploying runtime protections such as stack canaries and address space layout randomization (ASLR) if supported by the platform. Educate operators and administrators about the risks of local privilege escalation and the importance of timely patching. Finally, maintain an incident response plan tailored to drone system compromises.