PX4-Autopilot, an open-source autopilot software widely used in drones and unmanned vehicles, contains a stack-based buffer overflow vulnerability identified as CVE-2026-32743. The flaw exists in the MavlinkLogHandler module, specifically in the handling of log file paths. The LogEntry.filepath buffer is statically allocated with 60 bytes, but the sscanf function used to parse file paths from the log list does not enforce a maximum field width, allowing an attacker to supply a path longer than 60 characters. This overflow can be triggered by an attacker who has MAVLink link access by first creating deeply nested directories using MAVLink FTP, then requesting the log list via MAVLink. When the buffer overflow occurs, it corrupts the stack, causing the flight controller's MAVLink task to crash. This crash leads to a denial-of-service condition by disrupting telemetry data and command/control communication with the drone, potentially causing mission failure or loss of control. The vulnerability does not impact confidentiality or integrity directly but severely impacts availability. Exploitation requires network access to the MAVLink interface but does not require authentication or user interaction, increasing the risk in exposed environments. The issue has been addressed in a patch committed to the PX4 repository, which adds proper bounds checking to prevent buffer overflow. No public exploits have been reported yet, but the vulnerability is significant due to the critical role of PX4 in drone operations.

The primary impact of this vulnerability is denial-of-service against drones or unmanned vehicles running vulnerable PX4 versions. By crashing the MAVLink task, attackers can disrupt telemetry and command channels, potentially causing loss of control or mission aborts. This can have serious safety implications, especially in commercial, industrial, or governmental drone operations where reliable control and data are critical. Organizations relying on PX4 for autonomous or remotely piloted vehicles may experience operational downtime, increased risk of accidents, or mission failures. Since MAVLink is often exposed over wireless links, attackers within communication range or with network access could exploit this vulnerability. The lack of authentication requirement for exploitation increases the threat surface. Although no confidentiality or integrity compromise is indicated, the availability impact alone can have severe consequences in sectors like agriculture, delivery, surveillance, or defense where PX4 is deployed.

Organizations should immediately upgrade PX4-Autopilot to versions later than 1.17.0-rc2 where the vulnerability is patched. Until upgrades are applied, restrict network access to the MAVLink interface to trusted entities only, using network segmentation, firewalls, or VPNs to limit exposure. Disable or restrict MAVLink FTP functionality if not required to reduce attack vectors. Implement monitoring for unusual MAVLink FTP activity or log list requests that could indicate exploitation attempts. Employ runtime protections such as stack canaries or address space layout randomization (ASLR) if supported by the flight controller hardware and software environment. Conduct thorough testing of autopilot software updates in controlled environments before deployment to ensure stability. Finally, maintain awareness of PX4 security advisories and apply patches promptly to mitigate emerging threats.