Description
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsf_rc parser accepts an oversized variable-length known packet and copies it into a fixed 64-byte global buffer without a bounds check. In deployments where crsf_rc is enabled on a CRSF serial port, an adjacent/raw-serial attacker can trigger memory corruption and crash PX4. This vulnerability is fixed in 1.17.0-rc2.
Published: 2026-03-13
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

PX4 autopilot contains a global buffer overflow in the crsf_rc parser. An oversized variable‑length known packet is accepted and copied into a fixed 64‑byte global buffer without bounds checking. The overflow corrupts adjacent memory or triggers a crash, resulting in denial of service. The weakness is classified as CWE‑120 (Buffer Copy without Checking Size of Destination Buffer) and CWE‑787 (Out‑of‑Bounds Write).

Affected Systems

The vulnerability exists in PX4 Autopilot firmware versions prior to 1.17.0‑rc2, including releases 1.17.0‑alpha1, 1.17.0‑beta1, and 1.17.0‑rc1. It affects any deployment where the crsf_rc feature is enabled over a CRSF serial port and an adjacent or raw‑serial channel is reachable by an attacker.

Risk and Exploitability

The CVSS base score is 7.1, indicating moderate to high severity. EPSS is below 1%, suggesting a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to send crafted packets over the CRSF serial interface, typically a local or physically accessible channel, to trigger the overflow. Successful exploitation would cause the PX4 firmware to crash or reboot, leading to loss of vehicle control and availability. There is no evidence of confirmed code execution, so the primary impact is denial of service and potential loss of mission safety.

Generated by OpenCVE AI on March 16, 2026 at 23:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PX4 Autopilot to version 1.17.0‑rc2 or later, where the crsf_rc parser includes bounds checks.
  • If an immediate upgrade is not feasible, disable the crsf_rc feature or block the CRSF serial port to prevent packet injection.
  • After update, verify the firmware version and perform stability testing.
  • Monitor system logs for segmentation faults or unexpected crashes that may indicate exploitation attempts.

Generated by OpenCVE AI on March 16, 2026 at 23:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Dronecode
Dronecode px4 Drone Autopilot
CPEs cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*
cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*
Vendors & Products Dronecode
Dronecode px4 Drone Autopilot

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Px4
Px4 px4-autopilot
Vendors & Products Px4
Px4 px4-autopilot

Fri, 13 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
Description PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsf_rc parser accepts an oversized variable-length known packet and copies it into a fixed 64-byte global buffer without a bounds check. In deployments where crsf_rc is enabled on a CRSF serial port, an adjacent/raw-serial attacker can trigger memory corruption and crash PX4. This vulnerability is fixed in 1.17.0-rc2.
Title PX4 autopilot has a global buffer overflow in crsf_rc via oversized variable-length known packet
Weaknesses CWE-120
CWE-787
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

Subscriptions

Dronecode Px4 Drone Autopilot
Px4 Px4-autopilot
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-17T15:41:50.077Z

Reserved: 2026-03-13T14:33:42.823Z

Link: CVE-2026-32706

cve-icon Vulnrichment

Updated: 2026-03-17T15:41:42.773Z

cve-icon NVD

Status : Modified

Published: 2026-03-16T14:19:41.610

Modified: 2026-03-17T16:16:22.890

Link: CVE-2026-32706

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T13:39:22Z

Weaknesses