Skip to content

Stack buffer overflow in tattu_can due to unbounded memcpy in frame assembly loop

Moderate
mrpollo published GHSA-wxwm-xmx9-hr32 Mar 13, 2026

Package

PX4/PX4-Autopilot (Other)

Affected versions

<= 1.17.0-rc1

Patched versions

1.17.0-rc2

Description

Summary

tattu_can contains an unbounded memcpy in its multi-frame assembly loop, allowing stack memory overwrite when crafted CAN frames are processed.
In deployments where tattu_can is enabled and running, a CAN-injection-capable attacker can trigger a crash (DoS) and memory corruption.

Details

The vulnerable code is in src/drivers/tattu_can/TattuCan.cpp (assembly logic around line 114):

  • offset starts at 5.
  • For each subsequent frame, payload_size = received_frame.payload_size - 1.
  • Data is copied with:
    memcpy(((char *)&tattu_message) + offset, received_frame.payload, payload_size);
  • There is no bounds check enforcing:
    offset + payload_size <= sizeof(Tattu12SBatteryMessage).

As a result, repeated crafted frames overflow the stack object tattu_message.

Operational condition:

  • tattu_can must be compiled and started (CONFIG_DRIVERS_TATTU_CAN=y + tattu_can start).
  • This is typically vendor/custom firmware specific (not commonly enabled in default upstream builds).

PoC

Integrated reproduction was performed with real PX4 runtime in Docker (not copied vulnerable snippet testing).

Reproduction files:

  • security-lab/Dockerfile
  • security-lab/container_run.sh
  • security-lab/poc/tattu_can_can_injector.c
  • security-lab/run.sh

Steps:

cd security-lab
./run.sh

Attachment

security-lab_20260311_200146.zip

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Physical
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

CVE ID

CVE-2026-32707

Weaknesses

Stack-based Buffer Overflow

A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). Learn more on MITRE.

Credits