CVE-2026-32706 PUBLISHED

PX4 autopilot has a global buffer overflow in crsf_rc via oversized variable-length known packet

Assigner: GitHub_M
Reserved: 13.03.2026 Published: 13.03.2026 Updated: 13.03.2026

PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsf_rc parser accepts an oversized variable-length known packet and copies it into a fixed 64-byte global buffer without a bounds check. In deployments where crsf_rc is enabled on a CRSF serial port, an adjacent/raw-serial attacker can trigger memory corruption and crash PX4. This vulnerability is fixed in 1.17.0-rc2.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CVSS Score: 7.1

Attack Vector	Adjacent Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	PX4
Product	PX4-Autopilot
Versions	Version < 1.17.0-rc2 is affected

References

https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-mqgj-hh4g-fg5p

Problem Types

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE
CWE-787: Out-of-bounds Write CWE