{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32706", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T14:33:42.823Z", "datePublished": "2026-03-13T21:17:02.719Z", "dateUpdated": "2026-03-17T15:41:50.077Z"}, "containers": {"cna": {"title": "PX4 autopilot has a global buffer overflow in crsf_rc via oversized variable-length known packet", "problemTypes": [{"descriptions": [{"cweId": "CWE-120", "lang": "en", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-787", "lang": "en", "description": "CWE-787: Out-of-bounds Write", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-mqgj-hh4g-fg5p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-mqgj-hh4g-fg5p"}], "affected": [{"vendor": "PX4", "product": "PX4-Autopilot", "versions": [{"version": "< 1.17.0-rc2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T21:17:02.719Z"}, "descriptions": [{"lang": "en", "value": "PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsf_rc parser accepts an oversized variable-length known packet and copies it into a fixed 64-byte global buffer without a bounds check. In deployments where crsf_rc is enabled on a CRSF serial port, an adjacent/raw-serial attacker can trigger memory corruption and crash PX4. This vulnerability is fixed in 1.17.0-rc2."}], "source": {"advisory": "GHSA-mqgj-hh4g-fg5p", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-mqgj-hh4g-fg5p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T15:41:19.426833Z", "id": "CVE-2026-32706", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T15:41:50.077Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32706", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T15:41:19.426833Z"}}}], "references": [{"url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-mqgj-hh4g-fg5p", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T15:41:42.773Z"}}], "cna": {"title": "PX4 autopilot has a global buffer overflow in crsf_rc via oversized variable-length known packet", "source": {"advisory": "GHSA-mqgj-hh4g-fg5p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "PX4", "product": "PX4-Autopilot", "versions": [{"status": "affected", "version": "< 1.17.0-rc2"}]}], "references": [{"url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-mqgj-hh4g-fg5p", "name": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-mqgj-hh4g-fg5p", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsf_rc parser accepts an oversized variable-length known packet and copies it into a fixed 64-byte global buffer without a bounds check. In deployments where crsf_rc is enabled on a CRSF serial port, an adjacent/raw-serial attacker can trigger memory corruption and crash PX4. This vulnerability is fixed in 1.17.0-rc2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-120", "description": "CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-787", "description": "CWE-787: Out-of-bounds Write"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T21:17:02.719Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32706", "state": "PUBLISHED", "dateUpdated": "2026-03-17T15:41:50.077Z", "dateReserved": "2026-03-13T14:33:42.823Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T21:17:02.719Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FC2D6F1-D77D-44C2-A99C-55CB5A4474B9", "versionEndExcluding": "1.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "033A0A82-2986-44D5-A712-47B8D43407FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "3F2EA96E-BC3A-42AB-B81B-53D5872B2296", "vulnerable": true}, {"criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "1EAC5320-8D94-477D-AB85-144F8218DDFB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsf_rc parser accepts an oversized variable-length known packet and copies it into a fixed 64-byte global buffer without a bounds check. In deployments where crsf_rc is enabled on a CRSF serial port, an adjacent/raw-serial attacker can trigger memory corruption and crash PX4. This vulnerability is fixed in 1.17.0-rc2."}], "id": "CVE-2026-32706", "lastModified": "2026-03-17T16:16:22.890", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-16T14:19:41.610", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-mqgj-hh4g-fg5p"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-mqgj-hh4g-fg5p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-787"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.17.0-rc2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PX4-Autopilot", "source": "cna", "vendor": "PX4"}, "product": "px4-autopilot", "vendor": "px4"}], "analysis": {"en": {"generated_at": "2026-03-16T23:43:29.237856+00:00", "value": {"mitigation_remediation": ["Upgrade PX4 Autopilot to version 1.17.0\u2011rc2 or later, where the crsf_rc parser includes bounds checks.", "If an immediate upgrade is not feasible, disable the crsf_rc feature or block the CRSF serial port to prevent packet injection.", "After update, verify the firmware version and perform stability testing.", "Monitor system logs for segmentation faults or unexpected crashes that may indicate exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in PX4 Autopilot firmware versions prior to 1.17.0\u2011rc2, including releases 1.17.0\u2011alpha1, 1.17.0\u2011beta1, and 1.17.0\u2011rc1. It affects any deployment where the crsf_rc feature is enabled over a CRSF serial port and an adjacent or raw\u2011serial channel is reachable by an attacker.", "description_and_impact": "PX4 autopilot contains a global buffer overflow in the crsf_rc parser. An oversized variable\u2011length known packet is accepted and copied into a fixed 64\u2011byte global buffer without bounds checking. The overflow corrupts adjacent memory or triggers a crash, resulting in denial of service. The weakness is classified as CWE\u2011120 (Buffer Copy without Checking Size of Destination Buffer) and CWE\u2011787 (Out\u2011of\u2011Bounds Write).", "risk_and_exploitability": "The CVSS base score is 7.1, indicating moderate to high severity. EPSS is below 1%, suggesting a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. An attacker would need to send crafted packets over the CRSF serial interface, typically a local or physically accessible channel, to trigger the overflow. Successful exploitation would cause the PX4 firmware to crash or reboot, leading to loss of vehicle control and availability. There is no evidence of confirmed code execution, so the primary impact is denial of service and potential loss of mission safety."}}}}, "created": "2026-03-16T09:22:44.805855+00:00", "updated": "2026-03-23T13:39:22.277624+00:00", "vendors": ["px4", "px4$PRODUCT$px4-autopilot"]}