CVE-2026-32713

Name of the Vulnerable Software and Affected Versions PX4 autopilot versions prior to 1.17.0-rc2

Description A logic error exists in the PX4 Autopilot MAVLink FTP session validation. The validation uses incorrect boolean logic (&& instead of ||), allowing BurstReadFile and WriteFile operations to proceed with invalid sessions or closed file descriptors. This allows an unauthenticated attacker to put the FTP subsystem into an inconsistent state, trigger operations on invalid file descriptors, and bypass session isolation checks. The vulnerable component is the MAVLink FTP session validation logic.

Recommendations Update to version 1.17.0-rc2 or later.