CVE-2026-32706 Overview
CVE-2026-32706 is a buffer overflow vulnerability affecting PX4 autopilot, an open-source flight control solution for drones. The vulnerability exists in the crsf_rc parser component, which accepts an oversized variable-length packet and copies it into a fixed 64-byte global buffer without performing proper bounds checking. This memory corruption flaw can be exploited by an attacker with adjacent network access to crash the PX4 flight controller, potentially causing loss of drone control.
Critical Impact
An adjacent attacker can trigger memory corruption and crash the PX4 autopilot system, leading to potential drone crashes and loss of control during flight operations.
Affected Products
- Dronecode PX4 Drone Autopilot versions prior to 1.17.0-rc2
- Dronecode PX4 Drone Autopilot version 1.17.0-alpha1
- Dronecode PX4 Drone Autopilot version 1.17.0-beta1
- Dronecode PX4 Drone Autopilot version 1.17.0-rc1
Discovery Timeline
- 2026-03-16 - CVE-2026-32706 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-32706
Vulnerability Analysis
This vulnerability is classified as CWE-120 (Buffer Copy without Checking Size of Input), a classic buffer overflow condition. The crsf_rc parser in PX4 autopilot firmware is designed to process CrossFire (CRSF) protocol packets from RC receivers. When processing incoming packets, the parser fails to validate the size of variable-length packets before copying them into a fixed 64-byte global buffer.
The flaw allows an attacker to craft a malicious CRSF packet larger than the expected buffer size. When the parser processes this oversized packet, it writes beyond the bounds of the allocated buffer, corrupting adjacent memory regions. This memory corruption can destabilize the flight controller, causing it to crash during operation.
The vulnerability requires the attacker to have adjacent network access, meaning they must be able to send raw serial data to the CRSF port on the flight controller. While this limits remote exploitation, it poses significant risks in scenarios where an attacker can physically access or wirelessly communicate with the drone's serial interface.
Root Cause
The root cause is the absence of bounds checking in the crsf_rc parser when handling variable-length CRSF packets. The code copies incoming packet data directly into a fixed 64-byte global buffer without first verifying that the packet size does not exceed the buffer capacity. This classic programming error violates secure coding practices for memory safety.
Attack Vector
The attack requires adjacent network access through the CRSF serial port interface. An attacker must be able to send crafted serial data to a CRSF-enabled port on the PX4 flight controller. The attack mechanism works as follows:
- The attacker identifies a PX4 drone with crsf_rc enabled on a serial port
- The attacker crafts a CRSF packet with a payload larger than 64 bytes
- The malicious packet is transmitted to the drone's CRSF serial interface
- The crsf_rc parser attempts to copy the oversized packet into the fixed buffer
- Memory corruption occurs as data overwrites adjacent memory regions
- The PX4 autopilot crashes, potentially causing loss of drone control
For detailed technical information about this vulnerability, refer to the PX4-Autopilot Security Advisory.
Detection Methods for CVE-2026-32706
Indicators of Compromise
- Unexpected PX4 autopilot crashes or reboots during flight operations
- Anomalous or oversized packets observed on CRSF serial interfaces
- Flight controller logs showing memory errors or segmentation faults
- Unusual patterns in telemetry data indicating controller instability
Detection Strategies
- Monitor CRSF serial port traffic for packets exceeding 64 bytes in length
- Implement logging for all flight controller restarts with crash analysis
- Deploy firmware integrity monitoring to detect unexpected behavior patterns
- Review flight logs for correlation between external communication events and system crashes
Monitoring Recommendations
- Enable verbose logging on PX4 flight controllers to capture crash dump information
- Implement ground station monitoring for sudden loss of telemetry during operations
- Configure alerts for unexpected flight controller reboots or disconnections
- Monitor serial port activity for anomalous traffic patterns
How to Mitigate CVE-2026-32706
Immediate Actions Required
- Update PX4 Drone Autopilot to version 1.17.0-rc2 or later immediately
- Audit all deployed drones to identify systems running vulnerable firmware versions
- Restrict physical and wireless access to drone CRSF serial interfaces
- Review operational procedures to minimize exposure during firmware update cycles
Patch Information
The vulnerability has been fixed in PX4 Drone Autopilot version 1.17.0-rc2. Organizations should prioritize upgrading all affected drone systems to this version or later. The fix implements proper bounds checking before copying CRSF packet data into the buffer. For detailed patch information, see the GitHub Security Advisory.
Workarounds
- Disable the crsf_rc module if CRSF protocol is not required for operations
- Implement physical security controls to prevent unauthorized access to drone serial interfaces
- Use alternative RC protocols that are not affected by this vulnerability
- Monitor and restrict serial port access to trusted devices only
# Verify PX4 firmware version
px4_version
# If using QGroundControl, check firmware version in Vehicle Setup > Firmware
# Update to 1.17.0-rc2 or later through the firmware update process
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
