CVE-2026-32724 in PX4-Autopilot
Summary
by MITRE • 03/16/2026
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available() function. The issue is caused by a race condition between the MAVLink receiver thread (which handles shell creation/destruction) and the telemetry sender thread (which polls the shell for available output). The issue is remotely triggerable via MAVLink SERIAL_CONTROL messages (ID 126), which can be sent by an external ground station or automated script. This vulnerability is fixed in 1.17.0-rc1.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/16/2026
The CVE-2026-32724 vulnerability represents a critical heap-use-after-free flaw in the PX4 autopilot system that affects drone flight control solutions. This vulnerability exists in versions prior to 1.17.0-rc1 and demonstrates a fundamental concurrency issue within the MAVLink shell implementation. The PX4 autopilot serves as the primary flight control software for unmanned aerial vehicles, making this vulnerability particularly concerning for autonomous drone operations and unmanned systems deployment. The flaw manifests specifically within the MavlinkShell::available() function, which handles shell state management and output polling operations.
The technical root cause of this vulnerability stems from a race condition between two distinct threads within the PX4 system architecture. The MAVLink receiver thread is responsible for managing shell lifecycle operations including creation and destruction processes, while the telemetry sender thread continuously polls the shell for available output data. This concurrent access pattern creates a window where the shell object can be freed by the receiver thread while the telemetry sender thread still attempts to access it. The race condition occurs because proper synchronization mechanisms are absent between these threads during shell state transitions, allowing for memory access violations when the freed heap memory is subsequently referenced.
The operational impact of this vulnerability extends beyond typical memory corruption scenarios due to its remote exploitability through MAVLink SERIAL_CONTROL messages with ID 126. This message type enables external ground stations or automated scripts to trigger the vulnerability, effectively allowing remote attackers to compromise drone systems without physical access to the aircraft. The attack surface is particularly broad as MAVLink communications are commonly used in drone operations for telemetry, command and control, and system monitoring. An attacker could potentially execute arbitrary code, cause system crashes, or disrupt flight operations by exploiting this heap-use-after-free condition. The vulnerability's remote triggerability makes it especially dangerous in environments where drones operate in proximity to potential adversaries or where unauthorized access to telemetry systems could occur.
The fix implemented in version 1.17.0-rc1 addresses this vulnerability through proper synchronization mechanisms between the MAVLink receiver and telemetry sender threads. This remediation aligns with established cybersecurity practices for preventing race conditions and memory safety issues in concurrent systems. The solution likely involves implementing mutex locks or similar synchronization primitives to ensure exclusive access to shell objects during state transitions. Organizations operating PX4-based drone systems should prioritize immediate upgrade to version 1.17.0-rc1 or later to mitigate this risk. This vulnerability demonstrates the importance of proper thread synchronization in embedded systems and highlights the need for thorough concurrency testing in flight control software. The remediation approach follows industry best practices for preventing heap corruption vulnerabilities and aligns with CWE standards for memory safety issues, specifically addressing CWE-416 which covers use-after-free conditions. The ATT&CK framework would categorize this vulnerability under the T1059.001 technique for command and control through shell access, making it a significant concern for drone security and autonomous system integrity.