{"id":"CVE-2026-32707","summary":"PX4 autopilot has a stack buffer overflow in tattu_can due to unbounded memcpy in frame assembly loop","details":"PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, tattu_can contains an unbounded memcpy in its multi-frame assembly loop, allowing stack memory overwrite when crafted CAN frames are processed. In deployments where tattu_can is enabled and running, a CAN-injection-capable attacker can trigger a crash (DoS) and memory corruption. This vulnerability is fixed in 1.17.0-rc2.","aliases":["GHSA-wxwm-xmx9-hr32"],"modified":"2026-07-08T08:12:47.204168842Z","published":"2026-03-13T21:18:09.118Z","database_specific":{"cwe_ids":["CWE-121"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32707.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32707.json"},{"type":"ADVISORY","url":"https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-wxwm-xmx9-hr32"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32707"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/px4/px4-autopilot","events":[{"introduced":"0"},{"fixed":"d6f12ad1c4f70ad3230afd7d86e971421e02fef4"},{"introduced":"c2fb48990aacebc938c4e9998c7d5348f858fd22"}],"database_specific":{"cpe":["cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*","cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"fixed":"1.17.0"},{"introduced":"1.17.0-alpha1"},{"last_affected":"1.17.0-alpha1"},{"introduced":"1.17.0-beta1"},{"last_affected":"1.17.0-beta1"},{"introduced":"1.17.0-rc1"},{"last_affected":"1.17.0-rc1"}],"source":["CPE_RANGE","CPE_STRING"]}}],"versions":["1.17.0-alpha1","1.17.0-beta1","1.17.0-rc1","v1.17.0-rc2","v1.17.0-rc1","v1.17.0-beta1","v1.17.0-alpha1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32707.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"}]}