CVE-2026-32724

Name of the Vulnerable Software and Affected Versions PX4 autopilot versions prior to 1.17.0-rc1

Description PX4 autopilot is a flight control solution for drones. A heap-use-after-free condition exists in the MavlinkShell::available() function due to a race condition between the MAVLink receiver thread and the telemetry sender thread. This issue is remotely triggerable via MAVLink SERIAL CONTROL messages (ID 126) sent by an external ground station or automated script. The SERIAL CONTROL API endpoint with message ID 126 is involved in the exploitation.

Recommendations Versions prior to 1.17.0-rc1 should be updated to version 1.17.0-rc1 or later.