{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32724", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.625Z", "datePublished": "2026-03-13T21:39:19.207Z", "dateUpdated": "2026-03-16T20:22:43.754Z"}, "containers": {"cna": {"title": "PX4 autopilot has a heap Use-After-Free in MavlinkShell::available() via SERIAL_CONTROL Race Condition", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "lang": "en", "description": "CWE-416: Use After Free", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-j5w2-w79c-mqrw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-j5w2-w79c-mqrw"}], "affected": [{"vendor": "PX4", "product": "PX4-Autopilot", "versions": [{"version": "< 1.17.0-rc1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T21:39:19.207Z"}, "descriptions": [{"lang": "en", "value": "PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available() function. The issue is caused by a race condition between the MAVLink receiver thread (which handles shell creation/destruction) and the telemetry sender thread (which polls the shell for available output). The issue is remotely triggerable via MAVLink SERIAL_CONTROL messages (ID 126), which can be sent by an external ground station or automated script. This vulnerability is fixed in 1.17.0-rc1."}], "source": {"advisory": "GHSA-j5w2-w79c-mqrw", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32724", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T20:08:23.812031Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:22:43.754Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32724", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T20:08:23.812031Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T20:20:41.823Z"}}], "cna": {"title": "PX4 autopilot has a heap Use-After-Free in MavlinkShell::available() via SERIAL_CONTROL Race Condition", "source": {"advisory": "GHSA-j5w2-w79c-mqrw", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "PX4", "product": "PX4-Autopilot", "versions": [{"status": "affected", "version": "< 1.17.0-rc1"}]}], "references": [{"url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-j5w2-w79c-mqrw", "name": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-j5w2-w79c-mqrw", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available() function. The issue is caused by a race condition between the MAVLink receiver thread (which handles shell creation/destruction) and the telemetry sender thread (which polls the shell for available output). The issue is remotely triggerable via MAVLink SERIAL_CONTROL messages (ID 126), which can be sent by an external ground station or automated script. This vulnerability is fixed in 1.17.0-rc1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416: Use After Free"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-13T21:39:19.207Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32724", "state": "PUBLISHED", "dateUpdated": "2026-03-16T20:22:43.754Z", "dateReserved": "2026-03-13T15:02:00.625Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-13T21:39:19.207Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:*:*:*:*:*:*:*:*", "matchCriteriaId": "2FC2D6F1-D77D-44C2-A99C-55CB5A4474B9", "versionEndExcluding": "1.17.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "033A0A82-2986-44D5-A712-47B8D43407FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:dronecode:px4_drone_autopilot:1.17.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "3F2EA96E-BC3A-42AB-B81B-53D5872B2296", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc1, a heap-use-after-free is detected in the MavlinkShell::available() function. The issue is caused by a race condition between the MAVLink receiver thread (which handles shell creation/destruction) and the telemetry sender thread (which polls the shell for available output). The issue is remotely triggerable via MAVLink SERIAL_CONTROL messages (ID 126), which can be sent by an external ground station or automated script. This vulnerability is fixed in 1.17.0-rc1."}], "id": "CVE-2026-32724", "lastModified": "2026-03-16T18:33:49.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-16T14:19:43.203", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/PX4/PX4-Autopilot/security/advisories/GHSA-j5w2-w79c-mqrw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.17.0-rc1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PX4-Autopilot", "source": "cna", "vendor": "PX4"}, "product": "px4-autopilot", "vendor": "px4"}], "analysis": {"en": {"generated_at": "2026-03-16T23:42:50.311368+00:00", "value": {"mitigation_remediation": ["Update PX4 Autopilot firmware to version 1.17.0-rc1 or later to eliminate the race condition.", "Verify that the UAV firmware reflects the patched version before deployment."], "summary": {"action": "Immediate Patch", "impact": "Memory Corruption"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to PX4 Autopilot firmware versions released prior to 1.17.0-rc1, including the 1.17.0 alpha1 and beta1 releases, as well as all earlier builds. The affected vendor is PX4:PX4-Autopilot.", "description_and_impact": "PX4 Autopilot contains a heap-use-after-free vulnerability in the MavlinkShell::available() function; the flaw arises from a race condition between the MAVLink receiver thread and the telemetry sender thread, enabling improper deallocation of shell memory. This can lead to memory corruption, potentially causing a system crash or other integrity violations as the impacted firmware is not correctly initialized.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while the EPSS score of less than 1% reflects a low likelihood of exploitation. The issue is not listed in the CISA KEV catalog. It is remotely triggerable via MAVLink SERIAL_CONTROL (ID\u202f126) messages that can be sent from any external ground station or script, but exploiting the race condition requires precise timing of MAVLink packets. Considering the moderate impact and low probability, patching remains the most prudent response."}}}}, "created": "2026-03-16T09:22:30.437937+00:00", "updated": "2026-03-23T13:39:12.800632+00:00", "vendors": ["px4", "px4$PRODUCT$px4-autopilot"]}