6.5
CVE-2026-32713
- EPSS 0.39%
- Veröffentlicht 13.03.2026 21:20:09
- Zuletzt bearbeitet 16.03.2026 19:00:42
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPX4 Autopilot MAVLink FTP Session Validation Logic Error Allows Operations on Invalid File Descriptors
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Dronecode ≫ Px4 Drone Autopilot Version < 1.17.0
Dronecode ≫ Px4 Drone Autopilot Version1.17.0 Updatealpha1
Dronecode ≫ Px4 Drone Autopilot Version1.17.0 Updatebeta1
Dronecode ≫ Px4 Drone Autopilot Version1.17.0 Updaterc1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.39% | 0.303 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
|
| security-advisories@github.com | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
|
CWE-670 Always-Incorrect Control Flow Implementation
The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-pp2c-jr5g-6f2m