Description
PX4 Autopilot versions 1.12.x through 1.15.x contain a logic flaw in the mode switching mechanism. When switching from Auto mode to Manual mode while the drone is in the "ARMED" state (after landing and before the automatic disarm triggered by the COM_DISARM_LAND parameter), the system lacks a throttle threshold safety check for the physical throttle stick. This flaw can directly cause the drone to lose control, experience rapid uncontrolled ascent (flyaway), and result in property damage
Published: 2026-03-10
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Loss of Control and Property Damage
Action: Patch Immediately
AI Analysis

Impact

The flaw in PX4 Autopilot's mode switching logic allows an attacker to switch from Auto to Manual while the aircraft remains ARMED. This action bypasses a required throttle threshold safety check, permitting rapid, uncontrolled ascent or flyaway. An attacker could therefore cause loss of control, endangering occupants, property, and potentially leading to crashes.

Affected Systems

PX4 Autopilot firmware versions 1.12.x through 1.15.x, used in commercial and recreational drones built by the dronecode community. Systems running these builds are vulnerable.

Risk and Exploitability

The CVSS 8.1 score indicates high severity. EPSS <1% shows low predicted exploitation probability, but the flaw is in a core flight control path and can be caused with normal flight mode commands. No listing in CISA KEV means no currently known active exploit, yet an attacker with access to the flight controller's control channel could trigger the issue. The risk remains significant if the relevant firmware is deployed.

Generated by OpenCVE AI on April 16, 2026 at 03:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PX4 Autopilot firmware to a version newer than 1.15.x that contains the patched mode-switching logic.
  • If an update is not immediately possible, disable manual mode while the drone is armed or ensure the throttle stick remains below the safety threshold during mode changes.
  • Verify that the flight controller is configured to enforce automatic disarm on landing by correctly setting the COM_DISARM_LAND parameter.

Generated by OpenCVE AI on April 16, 2026 at 03:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-862
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Dronecode
Dronecode px4 Drone Autopilot
Vendors & Products Dronecode
Dronecode px4 Drone Autopilot

Tue, 10 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description PX4 Autopilot versions 1.12.x through 1.15.x contain a logic flaw in the mode switching mechanism. When switching from Auto mode to Manual mode while the drone is in the "ARMED" state (after landing and before the automatic disarm triggered by the COM_DISARM_LAND parameter), the system lacks a throttle threshold safety check for the physical throttle stick. This flaw can directly cause the drone to lose control, experience rapid uncontrolled ascent (flyaway), and result in property damage
References

Subscriptions

Dronecode Px4 Drone Autopilot
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-11T14:54:27.535Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26741

cve-icon Vulnrichment

Updated: 2026-03-11T14:52:04.266Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T19:17:17.103

Modified: 2026-03-12T17:05:29.457

Link: CVE-2026-26741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:00:09Z

Weaknesses