PX4 Autopilot versions 1.12.x through 1.15.x contain a flaw in the Re‑arm Grace Period logic where the system mistakenly applies in‑air emergency re‑arm rules during ground scenarios. This incorrect permission enforcement flaw (CWE‑862) causes the protection mechanism to bypass all pre‑flight safety checks, including the critical throttle threshold check, when a pilot switches to Manual mode and re‑arms within the default 5‑second grace period of an automatic landing. The result is an immediate high‑thrust takeoff when the throttle stick is raised, leading to loss of control and potential safety incidents.

The vulnerability affects PX4 Autopilot firmware from version 1.12.x up to 1.15.x. Affected users should verify their installed PX4 version and identify whether it resides within this range.

The flaw carries a CVSS score of 8.1, indicating high severity, but the EPSS score is below 1 %, suggesting a very low probability of exploitation in the wild. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. An attacker would need the ability to command a mode switch to Manual during a landing sequence, either through the remote controller or by compromising the aviation system, to trigger the bypass. Once the grace period is exploited, safety checks are circumvented and high‑thrust takeoff becomes possible, presenting a direct risk of loss of control.