Px4 Autopilot
CVE-2026-32724
MEDIUM
Severity by source
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available() function. The issue is caused by a race condition between the MAVLink receiver thread (which handles shell creation/destruction) and the telemetry sender thread (which polls the shell for available output). The issue is remotely triggerable via MAVLink SERIAL_CONTROL messages (ID 126), which can be sent by an external ground station or automated script. This vulnerability is fixed in 1.17.0-rc1.
AnalysisAI
PX4 Autopilot versions prior to 1.17.0-rc1 contain a heap-use-after-free vulnerability in the MavlinkShell::available() function caused by a race condition between the MAVLink receiver and telemetry sender threads. Remote attackers can trigger this vulnerability by sending crafted SERIAL_CONTROL messages (ID 126) via MAVLink, leading to denial of service of the flight control system. The vulnerability affects drone operators and systems accepting MAVLink telemetry from untrusted ground stations or networks.
Technical ContextAI
PX4 is an open-source flight control autopilot for unmanned aerial vehicles that processes MAVLink protocol communications. The vulnerability resides in the MavlinkShell component, which handles shell command execution via MAVLink's SERIAL_CONTROL message type (message ID 126). The root cause is a classic race condition (CWE-416: use-after-free) occurring between two concurrent threads: the MAVLink receiver thread that creates and destroys shell instances, and the telemetry sender thread that polls the shell's available() method for output data. Without proper synchronization primitives (mutexes or atomic operations), one thread may access a shell object that has already been freed by the other thread, resulting in undefined behavior and likely process termination. The MAVLink protocol allows remote ground stations and scripts to send SERIAL_CONTROL messages with minimal authentication, making this attack surface directly exposed to network interfaces where MAVLink telemetry is enabled.
RemediationAI
Upgrade PX4 autopilot to version 1.17.0-rc1 or later, which includes thread-safe synchronization fixes for the MavlinkShell component. Detailed upgrade procedures and release notes are available at https://github.com/PX4/PX4-Autopilot/releases. For systems that cannot be immediately patched, implement network-level mitigations by restricting MAVLink telemetry access to trusted ground station IP addresses only, disabling remote SERIAL_CONTROL message handling if not required for operations, or isolating autopilot systems on segregated network segments from untrusted MAVLink sources. Monitor system logs for unexpected autopilot reboots or crashes, which may indicate exploitation attempts. Organizations should prioritize patching in test environments first to validate compatibility before production deployment.
More in Px4 Autopilot
View allStack overflow vulnerability in PX4 autopilot drone flight control software (versions prior to 1.17.0-rc2) where the Zen
Buffer overflow vulnerability in PX4 autopilot drone firmware versions before 1.17.0-rc2 that allows adjacent network at
PX4 autopilot versions prior to 1.17.0-rc2 contain a stack overflow vulnerability in the BST telemetry probe driver that
An unauthenticated path traversal vulnerability in PX4 Autopilot's MAVLink FTP implementation (CWE-22) allows any MAVLin
PX4 autopilot versions prior to 1.17.0-rc2 contain an unbounded memcpy vulnerability in the tattu_can module that allows
PX4 Autopilot prior to version 1.17.0-rc2 contains a boolean logic error in MAVLink FTP session validation that uses AND
Same weakness CWE-416 – Use After Free
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today