CVE-2026-32713 MEDIUM

CVE-2026-32713: PX4 Autopilot MAVLink FTP Session Validation Logic Error Allows Operations on Invalid File Descriptors

Vendor Px4

Product PX4-Autopilot

Weakness CWE-670

Published March 13, 2026

Last update March 17, 2026

View on NVD All CVEs

CVSS base score

4.3/10

Attack vector Adjacent

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2.

Key dates

02Disclosure timeline

March 13, 2026 CVE published

March 17, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-32713 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/670.html

Related vulnerabilities

CVE-2026-32713: PX4 Autopilot MAVLink FTP Session Validation Logic Error Allows Operations on Invalid File Descriptors

01Description

02Disclosure timeline

03References

04Related CVE