Skip to main content

Px4 Autopilot CVE-2026-32724

MEDIUM
Use After Free (CWE-416)
2026-03-13 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 13, 2026 - 22:01 vuln.today
CVE Published
Mar 13, 2026 - 21:39 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available() function. The issue is caused by a race condition between the MAVLink receiver thread (which handles shell creation/destruction) and the telemetry sender thread (which polls the shell for available output). The issue is remotely triggerable via MAVLink SERIAL_CONTROL messages (ID 126), which can be sent by an external ground station or automated script. This vulnerability is fixed in 1.17.0-rc1.

AnalysisAI

PX4 Autopilot versions prior to 1.17.0-rc1 contain a heap-use-after-free vulnerability in the MavlinkShell::available() function caused by a race condition between the MAVLink receiver and telemetry sender threads. Remote attackers can trigger this vulnerability by sending crafted SERIAL_CONTROL messages (ID 126) via MAVLink, leading to denial of service of the flight control system. The vulnerability affects drone operators and systems accepting MAVLink telemetry from untrusted ground stations or networks.

Technical ContextAI

PX4 is an open-source flight control autopilot for unmanned aerial vehicles that processes MAVLink protocol communications. The vulnerability resides in the MavlinkShell component, which handles shell command execution via MAVLink's SERIAL_CONTROL message type (message ID 126). The root cause is a classic race condition (CWE-416: use-after-free) occurring between two concurrent threads: the MAVLink receiver thread that creates and destroys shell instances, and the telemetry sender thread that polls the shell's available() method for output data. Without proper synchronization primitives (mutexes or atomic operations), one thread may access a shell object that has already been freed by the other thread, resulting in undefined behavior and likely process termination. The MAVLink protocol allows remote ground stations and scripts to send SERIAL_CONTROL messages with minimal authentication, making this attack surface directly exposed to network interfaces where MAVLink telemetry is enabled.

RemediationAI

Upgrade PX4 autopilot to version 1.17.0-rc1 or later, which includes thread-safe synchronization fixes for the MavlinkShell component. Detailed upgrade procedures and release notes are available at https://github.com/PX4/PX4-Autopilot/releases. For systems that cannot be immediately patched, implement network-level mitigations by restricting MAVLink telemetry access to trusted ground station IP addresses only, disabling remote SERIAL_CONTROL message handling if not required for operations, or isolating autopilot systems on segregated network segments from untrusted MAVLink sources. Monitor system logs for unexpected autopilot reboots or crashes, which may indicate exploitation attempts. Organizations should prioritize patching in test environments first to validate compatibility before production deployment.

Share

CVE-2026-32724 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy