CVE-2026-26742 Overview
CVE-2026-26742 is a protection mechanism failure vulnerability affecting PX4 Autopilot versions 1.12.x through 1.15.x. The vulnerability exists in the "Re-arm Grace Period" logic, where the system incorrectly applies in-air emergency re-arm logic to ground scenarios. This flaw allows pilots to bypass all pre-flight safety checks when switching to Manual mode and re-arming within 5 seconds of an automatic landing, potentially resulting in uncontrolled high-thrust takeoffs and loss of control.
Critical Impact
Successful exploitation allows bypass of pre-flight safety checks including throttle threshold verification, enabling immediate high-thrust takeoff and potential loss of aircraft control with associated physical safety hazards.
Affected Products
- Dronecode PX4 Drone Autopilot versions 1.12.x through 1.15.x
Discovery Timeline
- 2026-03-10 - CVE-2026-26742 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-26742
Vulnerability Analysis
This vulnerability stems from a Missing Authorization (CWE-862) weakness in the PX4 Autopilot firmware's mode transition handling. The core issue lies in how the system manages the grace period intended for emergency re-arming during in-air scenarios.
The "Re-arm Grace Period" feature was designed to allow rapid re-arming in emergency flight situations where a drone may need to quickly regain control after a disarm event. However, the implementation fails to properly distinguish between in-air emergency situations and normal ground operations following an automatic landing sequence.
When a pilot performs an automatic landing and subsequently switches to Manual mode, re-arming within the default 5-second grace window causes the system to incorrectly treat the ground scenario as an in-air emergency. This misclassification triggers the emergency re-arm pathway, which by design bypasses standard pre-flight safety validations.
Root Cause
The root cause is a protection mechanism failure in the state machine logic that governs arming transitions. The system lacks proper context validation to determine whether the aircraft is genuinely in an airborne emergency requiring rapid re-arm capabilities, versus a standard ground state following completed landing procedures.
The logic incorrectly persists the "grace period" flag across the landing transition, failing to reset the emergency state when the aircraft touches down. This allows the bypass of critical safety checks including throttle position validation, sensor calibration verification, and pre-arm safety conditions.
Attack Vector
The vulnerability requires adjacent network access, meaning an attacker would need to be in radio communication range of the affected drone system. Exploitation does not require authentication or user interaction.
The attack scenario involves:
- A drone completes an automatic landing sequence
- An operator (or attacker with radio access) switches the flight mode to Manual
- Within 5 seconds, the operator issues a re-arm command
- The system bypasses all pre-flight safety checks due to the misapplied grace period logic
- If the throttle is raised, immediate high-thrust takeoff occurs without safety validation
This could result in uncontrolled aircraft behavior, physical damage to property, or injury to nearby personnel. The vulnerability is particularly concerning in scenarios where drones operate near people or in confined spaces where uncontrolled takeoffs pose significant safety risks.
Detection Methods for CVE-2026-26742
Indicators of Compromise
- Unexpected re-arm events occurring within 5 seconds of automatic landing completion
- Flight logs showing bypassed pre-flight safety checks during ground operations
- Rapid mode transitions from automatic landing to manual control with immediate re-arm sequences
- Anomalous throttle response patterns following landing sequences
Detection Strategies
- Monitor telemetry data for re-arm commands issued within the grace period following auto-land events
- Implement logging for all instances where pre-flight checks are bypassed
- Audit flight controller logs for mode transition patterns matching the exploit sequence
- Review MAVLink message logs for suspicious command timing patterns
Monitoring Recommendations
- Enable verbose logging for arming state transitions and mode changes
- Configure alerts for any arming events that bypass standard safety checks
- Implement real-time telemetry monitoring for grace period exploitation attempts
- Establish baseline flight patterns to detect anomalous re-arm behavior
How to Mitigate CVE-2026-26742
Immediate Actions Required
- Review all PX4 Autopilot deployments running versions 1.12.x through 1.15.x
- Consider disabling or extending the Re-arm Grace Period configuration parameter
- Implement operational procedures requiring manual safety verification before re-arming after landing
- Monitor vendor advisories for official patch releases
Patch Information
As of the last update, refer to the PX4 Autopilot Vulnerability Advisory for detailed technical information and remediation guidance. Organizations should monitor the official PX4 project repositories for security patches addressing this vulnerability.
Workarounds
- Increase the grace period timeout value beyond practical exploitation windows
- Implement mandatory waiting periods between landing and manual re-arming in operational procedures
- Deploy ground control station software that enforces safety delays before allowing re-arm commands
- Consider firmware modifications to reset the grace period flag upon confirmed landing state
- Restrict radio access to authorized operators only to limit adjacent network attack surface
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
