CVE-2026-26741 Overview
CVE-2026-26741 is a logic flaw vulnerability affecting PX4 Autopilot versions 1.12.x through 1.15.x. The vulnerability exists in the mode switching mechanism and is classified as Missing Authorization (CWE-862). When transitioning from Auto mode to Manual mode while the drone is in the "ARMED" state—specifically after landing but before automatic disarm triggered by the COM_DISARM_LAND parameter—the system fails to perform a throttle threshold safety check for the physical throttle stick. This missing safety check can result in complete loss of control, rapid uncontrolled ascent (flyaway), and potential property damage.
Critical Impact
Exploitation of this vulnerability can cause drones to experience uncontrolled flyaway behavior, resulting in loss of control and property damage. The flaw affects the critical mode transition safety mechanism in autonomous drone systems.
Affected Products
- Dronecode PX4 Drone Autopilot versions 1.12.x through 1.15.x
- Systems using PX4 Autopilot with mode switching between Auto and Manual modes
- Drone configurations utilizing the COM_DISARM_LAND automatic disarm parameter
Discovery Timeline
- 2026-03-10 - CVE-2026-26741 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-26741
Vulnerability Analysis
This vulnerability represents a critical safety oversight in the PX4 Autopilot flight control system's mode transition logic. The root cause stems from missing authorization checks (CWE-862) during state transitions, specifically the absence of throttle stick position validation when switching between autonomous and manual control modes.
In normal operation, when a drone lands in Auto mode, the COM_DISARM_LAND parameter triggers an automatic disarm sequence after a configurable delay. However, if an operator switches to Manual mode during this vulnerable window (while the aircraft remains ARMED post-landing), the flight controller immediately passes throttle commands to the motors without first verifying the throttle stick is in a safe (low) position.
The attack requires adjacent network access to the drone's control systems, allowing an attacker who can inject mode switching commands to trigger this unsafe state transition. The vulnerability affects both integrity and availability, potentially causing complete loss of aircraft control.
Root Cause
The root cause is a missing safety check in the mode switching state machine. The PX4 flight stack lacks proper validation of manual control input positions before transferring authority from the autopilot to the pilot's physical controls. When transitioning from Auto to Manual mode, the system should verify that the throttle stick is below a safe threshold before enabling manual control. This verification step is absent in affected versions, creating a dangerous gap in the safety architecture where the drone can immediately respond to whatever throttle position the stick happens to be in at the moment of transition.
Attack Vector
The attack vector is classified as Adjacent Network, meaning an attacker must be within communication range of the drone's control link. Exploitation requires the ability to send mode switching commands to the aircraft while it is in the ARMED state post-landing. The attack scenario unfolds as follows:
The attacker monitors for a drone completing an autonomous landing sequence. During the window between touchdown and automatic disarm (controlled by COM_DISARM_LAND), the attacker transmits a mode switch command from Auto to Manual. If the operator's throttle stick is not at the minimum position, the drone immediately applies the current throttle setting, potentially causing rapid uncontrolled ascent. No user interaction is required beyond the attacker's ability to send the malicious command, and no authentication is needed to exploit this flaw.
Detection Methods for CVE-2026-26741
Indicators of Compromise
- Unexpected mode transitions from Auto to Manual mode during the post-landing ARMED state
- Telemetry logs showing throttle commands immediately following mode switches without corresponding safety checks
- Flight logs indicating rapid altitude increases following landing sequences
- Anomalous control link communications during the disarm delay window
Detection Strategies
- Monitor flight controller logs for mode transition events occurring between landing detection and disarm
- Implement telemetry analysis to flag Auto-to-Manual transitions while COM_DISARM_LAND timer is active
- Deploy network intrusion detection systems on control link frequencies to identify unauthorized command injection
- Review flight logs for throttle command spikes immediately following mode switches
Monitoring Recommendations
- Enable verbose logging for mode state machine transitions in PX4 Autopilot
- Configure ground control station alerts for unexpected mode changes during post-landing sequences
- Implement real-time telemetry monitoring for throttle position validation during mode transitions
- Establish baseline flight profiles to detect anomalous behavior patterns indicative of exploitation
How to Mitigate CVE-2026-26741
Immediate Actions Required
- Review the GitHub Vulnerability Report for detailed technical information
- Reduce the COM_DISARM_LAND parameter to minimize the vulnerable window between landing and automatic disarm
- Establish operational procedures requiring throttle stick verification before any mode transitions
- Consider restricting mode switching capabilities during the ARMED post-landing state until a patch is available
Patch Information
Organizations running affected PX4 Autopilot versions (1.12.x through 1.15.x) should monitor the official PX4 project repositories for security updates addressing this logic flaw. Review the GitHub Vulnerability Report for the latest remediation guidance and subscribe to PX4 security announcements for patch notifications.
Workarounds
- Configure COM_DISARM_LAND to the shortest practical value to minimize the vulnerable time window
- Implement operational controls requiring manual throttle verification before mode switching
- Disable Auto-to-Manual mode transitions during the ARMED state through custom parameter configurations
- Deploy geofencing and altitude limits as secondary safety measures to contain potential flyaway events
# Configuration example: Reduce vulnerable window by setting minimum disarm delay
# Access PX4 parameters via QGroundControl or MAVLink
param set COM_DISARM_LAND 2.0 # Reduce auto-disarm delay to 2 seconds (default may be higher)
param set COM_DISARM_PRFLT 3.0 # Set preflight disarm timeout
param save # Save parameters to persistent storage
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
