CVE-2026-32706
Undergoing Analysis Undergoing Analysis - In Progress
Buffer Overflow in PX4 crsf_rc Parser Causes Crash

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsf_rc parser accepts an oversized variable-length known packet and copies it into a fixed 64-byte global buffer without a bounds check. In deployments where crsf_rc is enabled on a CRSF serial port, an adjacent/raw-serial attacker can trigger memory corruption and crash PX4. This vulnerability is fixed in 1.17.0-rc2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32706
EUVD
EUVD-2026-12150
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
dronecode px4_drone_autopilot to 1.17.0 (exc)
dronecode px4_drone_autopilot 1.17.0
dronecode px4_drone_autopilot 1.17.0
dronecode px4_drone_autopilot 1.17.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-32706 vulnerability is a global buffer overflow in the crsf_rc parser of the PX4 autopilot software, affecting versions prior to 1.17.0-rc2.

The issue occurs because the parser accepts an oversized variable-length known packet and copies it into a fixed-size 64-byte global buffer without checking if the packet size exceeds the buffer size.

This unchecked copy leads to memory corruption, which can cause the PX4 autopilot software to crash.

An attacker with access to the CRSF serial port, such as a malicious device on the same serial line, can exploit this by sending crafted oversized packets to trigger the overflow.

Impact Analysis

This vulnerability can lead to a denial of service by crashing the PX4 autopilot software, which controls drone flight.

An attacker with adjacent access to the CRSF serial port can exploit this to cause memory corruption and crash the system.

The impact includes potential loss of control or interruption of drone operations, which could have safety and operational consequences.

The vulnerability has a high severity score (CVSS 7.1) mainly due to its availability impact.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for crashes or memory corruption events in the PX4 autopilot software when the crsf_rc parser is enabled on a CRSF serial port.

A proof-of-concept environment exists that uses a Docker-based setup to build a PX4 SITL binary with AddressSanitizer (ASAN), runs the PX4 daemon and crsf_rc module against a PTY-backed serial device, injects crafted oversized packets, and confirms the overflow via ASAN crash logs.

While no specific commands are provided, detection involves running PX4 with ASAN enabled and injecting oversized CRSF packets to observe crashes or memory corruption.

Mitigation Strategies

The immediate mitigation step is to upgrade PX4 autopilot software to version 1.17.0-rc2 or later, where this vulnerability has been fixed.

Additionally, restrict access to the CRSF serial port to trusted devices only, preventing adjacent attackers from injecting malicious oversized packets.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32706. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart