Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsf_rc parser accepts an oversized variable-length known packet and copies it into a fixed 64-byte global buffer without a bounds check. In deployments where crsf_rc is enabled on a CRSF serial port, an adjacent/raw-serial attacker can trigger memory corruption and crash PX4. This vulnerability is fixed in 1.17.0-rc2.
AnalysisAI
Buffer overflow vulnerability in PX4 autopilot drone firmware versions before 1.17.0-rc2 that allows adjacent network attackers to crash the system by sending oversized CRSF packets. The vulnerability requires the CRSF receiver protocol to be enabled on a serial port and can cause memory corruption leading to denial of service. No active exploitation (not in KEV) or public POC has been reported.
Technical ContextAI
The vulnerability affects the PX4-Autopilot firmware (CPE: cpe:2.3:a:px4:px4-autopilot:*:*:*:*:*:*:*:*), specifically in the CRSF (Crossfire) RC receiver protocol parser. CRSF is a serial communication protocol used for radio control systems in drones. The root cause is a classic buffer overflow (CWE-120) where the crsf_rc parser copies variable-length packet data into a fixed 64-byte global buffer without proper bounds checking. This allows packets larger than 64 bytes to overflow the buffer and corrupt adjacent memory.
RemediationAI
Primary remediation: Update to PX4-Autopilot version 1.17.0-rc2 or later, which contains the fix for this vulnerability. The patch is available through the official PX4 GitHub repository as referenced in the advisory at https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-mqgj-hh4g-fg5p. As a workaround, if updating is not immediately possible, disable CRSF receiver protocol on serial ports or restrict physical access to drone serial interfaces.
More in Px4 Autopilot
View allStack overflow vulnerability in PX4 autopilot drone flight control software (versions prior to 1.17.0-rc2) where the Zen
PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that
An unauthenticated path traversal vulnerability in PX4 Autopilot's MAVLink FTP implementation (CWE-22) allows any MAVLin
PX4 Autopilot versions prior to 1.17.0-rc1 contain a heap-use-after-free vulnerability in the MavlinkShell::available()
PX4 autopilot versions prior to 1.17.0-rc2 contain an unbounded memcpy vulnerability in the tattu_can module that allows
PX4 Autopilot prior to version 1.17.0-rc2 contains a boolean logic error in MAVLink FTP session validation that uses AND
Same weakness CWE-120 – Classic Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12150