CVE-2026-32743

Source
https://cve.org/CVERecord?id=CVE-2026-32743
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32743.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-32743
Aliases
  • GHSA-97c4-68r9-96p5
Published
2026-03-18T23:26:51.255Z
Modified
2026-07-15T20:32:03.085625Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
PX4 Autopilot: Stack-based Buffer Overflow via Oversized Path Input in MAVLink Log Request Handling
Details

PX4 is an open-source autopilot stack for drones and unmanned vehicles. Versions 1.17.0-rc2 and below are vulnerable to Stack-based Buffer Overflow through the MavlinkLogHandler, and are triggered via MAVLink log request. The LogEntry.filepath buffer is 60 bytes, but the sscanf function parses paths from the log list file with no width specifier, allowing a path longer than 60 characters to overflow the buffer. An attacker with MAVLink link access can trigger this by first creating deeply nested directories via MAVLink FTP, then requesting the log list. The flight controller MAVLink task crashes, losing telemetry and command capability and causing DoS. This issue has been fixed in this commit: https://github.com/PX4/PX4-Autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-121"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32743.json"
}
References

Affected packages

Git / github.com/px4/px4-autopilot

Affected ranges

Type
GIT
Repo
https://github.com/px4/px4-autopilot
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "source": [
        "CPE_RANGE",
        "CPE_STRING",
        "REFERENCES"
    ],
    "cpe": [
        "cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*",
        "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*",
        "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*",
        "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*",
        "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc2:*:*:*:*:*:*"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.17.0"
        },
        {
            "introduced": "1.17.0-alpha1"
        },
        {
            "last_affected": "1.17.0-alpha1"
        },
        {
            "introduced": "1.17.0-beta1"
        },
        {
            "last_affected": "1.17.0-beta1"
        },
        {
            "introduced": "1.17.0-rc1"
        },
        {
            "last_affected": "1.17.0-rc1"
        },
        {
            "introduced": "1.17.0-rc2"
        },
        {
            "last_affected": "1.17.0-rc2"
        }
    ]
}

Affected versions

1.*
1.17.0-alpha1
1.17.0-beta1
1.17.0-rc1
1.17.0-rc2
v1.*
v1.17.0-alpha1
v1.17.0-beta1
v1.17.0-rc1
v1.17.0-rc2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32743.json"
vanir_signatures
[
    {
        "id": "CVE-2026-32743-0731ede8",
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/px4/px4-autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474",
        "deprecated": false,
        "digest": {
            "function_hash": "99312742348915661979489768133036614673",
            "length": 1394.0
        },
        "target": {
            "function": "MavlinkLogHandler::state_listing",
            "file": "src/modules/mavlink/mavlink_log_handler.cpp"
        }
    },
    {
        "id": "CVE-2026-32743-46b4ecb8",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/px4/px4-autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "337629107499693923584744912966357938127",
                "97631405929942967562900435080347378022",
                "34024874931508612499518212218331396102",
                "72466405241758535646579003041687919487",
                "125853767332586479638014701812813217498",
                "185064556205902483090349199868768679618",
                "143040743581066503114240943886961673283",
                "125666745775648451080293522147245446720",
                "121055837108841376504909300461019273441",
                "250937332830067062698745287969482370688",
                "338373535979288007370555990263192667297",
                "40300939436239318821967694431966645431",
                "89648913941110578000452302979175021659",
                "258581468452969465890779276430447901352",
                "211180633958988606407411419447756653418",
                "235180251600226913195988330099881620369",
                "10026206812545627022909606092758356603",
                "329671870683540699079379797454111401741",
                "305112698545514371331838173825952746356",
                "188940433049158170500560814224305794540"
            ]
        },
        "target": {
            "file": "src/modules/mavlink/mavlink_log_handler.cpp"
        }
    },
    {
        "id": "CVE-2026-32743-5ce5da73",
        "signature_type": "Function",
        "signature_version": "v1",
        "source": "https://github.com/px4/px4-autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474",
        "deprecated": false,
        "digest": {
            "function_hash": "27809595265015087608486801144875829867",
            "length": 782.0
        },
        "target": {
            "function": "MavlinkLogHandler::log_entry_from_id",
            "file": "src/modules/mavlink/mavlink_log_handler.cpp"
        }
    },
    {
        "id": "CVE-2026-32743-8cd50ee8",
        "signature_type": "Line",
        "signature_version": "v1",
        "source": "https://github.com/px4/px4-autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "189105260875883242646213903333643949573",
                "258909814962582548187107942758417716010",
                "100859747214660596755893316805756166625",
                "243330720897874287270736188372145716188",
                "194485164080632305436367132427703322205",
                "100577233503923012815331722884019021377",
                "258527978135600047548519630901480956360"
            ]
        },
        "target": {
            "file": "src/modules/mavlink/mavlink_log_handler.h"
        }
    }
]
vanir_signatures_modified
"2026-07-15T20:32:03Z"