CVE-2026-32706
Published: 16 March 2026
Summary
CVE-2026-32706 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Dronecode Px4 Drone Autopilot. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32706 is a buffer overflow vulnerability (CWE-120, CWE-787) in the crsf_rc parser of PX4 Autopilot, an open-source flight control solution for drones. In versions prior to 1.17.0-rc2, the parser accepts oversized variable-length packets and copies them into a fixed 64-byte global buffer without performing bounds checks, leading to potential memory corruption. The issue was published on 2026-03-16 and carries a CVSS v3.1 base score of 7.1 (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), emphasizing high availability impact with low integrity disruption.
An adjacent or raw-serial attacker can exploit this vulnerability in deployments where crsf_rc is enabled on a CRSF serial port. By sending a malicious oversized packet, the attacker triggers memory corruption, reliably crashing the PX4 system and potentially disrupting drone operations. No privileges, user interaction, or remote network access are required, but physical or adjacent proximity to the serial interface is necessary.
The official GitHub security advisory (GHSA-mqgj-hh4g-fg5p) confirms the vulnerability is fixed in PX4 Autopilot version 1.17.0-rc2. Security practitioners should ensure deployments upgrade to this version or later, disable crsf_rc on exposed CRSF ports if feasible, and monitor serial interfaces for anomalous traffic.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-12150
Vulnerability details
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsf_rc parser accepts an oversized variable-length known packet and copies it into a fixed 64-byte global buffer without a bounds check. In deployments where crsf_rc is enabled…
more
on a CRSF serial port, an adjacent/raw-serial attacker can trigger memory corruption and crash PX4. This vulnerability is fixed in 1.17.0-rc2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in crsf_rc parser enables direct exploitation causing reliable system crash and availability impact (A:H), matching Application or System Exploitation under Endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of all input (including variable-length CRSF packets) to enforce bounds and prevent the unchecked copy into the 64-byte buffer.
Mandates timely application of the vendor patch that eliminates the oversized-packet flaw in crsf_rc (fixed in 1.17.0-rc2).
Requires disabling unnecessary features such as crsf_rc on exposed serial ports when the protocol is not required, reducing the attack surface.