Unrated severityNVD Advisory· Published Mar 13, 2026· Updated Mar 17, 2026

PX4 Autopilot MAVLink FTP Session Validation Logic Error Allows Operations on Invalid File Descriptors

CVE-2026-32713

Description

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, A logic error in the PX4 Autopilot MAVLink FTP session validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This enables an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. This vulnerability is fixed in 1.17.0-rc2.

Affected products

Px4/Px4 Autopilotv5
Range: < 1.17.0-rc2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/PX4/PX4-Autopilot/security/advisories/GHSA-pp2c-jr5g-6f2mmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000