CVE-2026-26742
Published: 10 March 2026
Summary
CVE-2026-26742 is a high-severity Missing Authorization (CWE-862) vulnerability in Dronecode Px4 Drone Autopilot. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SA-8 (Security and Privacy Engineering Principles) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires identification, reporting, prioritization, and correction of the specific software flaw in re-arm grace period logic that bypasses pre-flight safety checks.
Verifies correct operation of security functions like pre-flight safety checks and re-arm logic to detect incorrect application of in-air emergency procedures to ground scenarios.
Applies security engineering principles during system development to prevent logic errors that enable bypass of safety checks during mode transitions and re-arming.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The logic flaw in PX4's remote flight-control interface (mode switch + re-arm commands over adjacent network) directly enables exploitation of the exposed remote service to bypass safety checks and induce loss of control.
NVD Description
PX4 Autopilot versions 1.12.x through 1.15.x contain a protection mechanism failure in the "Re-arm Grace Period" logic. The system incorrectly applies the in-air emergency re-arm logic to ground scenarios. If a pilot switches to Manual mode and re-arms within 5…
more
seconds (default configuration) of an automatic landing, the system bypasses all pre-flight safety checks, including the throttle threshold check. This allows for an immediate high-thrust takeoff if the throttle stick is raised, leading to loss of control.
Deeper analysisAI
CVE-2026-26742 is a protection mechanism failure (CWE-862) in the "Re-arm Grace Period" logic of PX4 Autopilot versions 1.12.x through 1.15.x. The vulnerability causes the system to incorrectly apply in-air emergency re-arm logic to ground scenarios. Specifically, if a pilot switches to Manual mode and re-arms within 5 seconds (default configuration) of an automatic landing, the system bypasses all pre-flight safety checks, including the throttle threshold check. This enables an immediate high-thrust takeoff if the throttle stick is raised, potentially resulting in loss of control. The issue carries a CVSS v3.1 base score of 8.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
An attacker with adjacent network access can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction. By manipulating the drone into an automatic landing followed by a Manual mode switch and re-arm within the grace period, the attacker can trigger the bypass of safety checks. Successful exploitation leads to high-impact disruption of integrity and availability, as the drone may execute uncontrolled high-thrust maneuvers, causing physical damage or crashes.
Mitigation details and further analysis are available in the referenced advisory at https://github.com/npuwyw/PX4-Autopilot/blob/audit-v1.12.3-mode-transition-logic-flaw/PX4_Autopilot_Mode_Switching_Logic_Vulnerability.md.
Details
- CWE(s)