CVE-2026-26741 identifies a critical logic flaw in the PX4 Autopilot software versions 1.12.x through 1.15.x, specifically in the mode switching mechanism from Auto to Manual mode when the drone is in the ARMED state. The vulnerability stems from the absence of a throttle threshold safety check on the physical throttle stick during this transition. Normally, after landing, the autopilot triggers an automatic disarm via the COM_DISARM_LAND parameter to ensure safety. However, if the mode is switched manually from Auto to Manual before this disarm, the system fails to verify that the throttle stick is at a safe (low) position. This oversight can cause the drone to suddenly ascend uncontrollably, leading to a flyaway scenario. Such behavior risks loss of control, potentially causing property damage or injury. The flaw is a logic error rather than a memory corruption or code execution vulnerability, meaning exploitation involves normal drone operation sequences rather than remote code execution. No patches or fixes are currently linked, and no exploits have been reported in the wild. The PX4 Autopilot is widely used in commercial, research, and hobbyist drones, making this vulnerability relevant to a broad user base. The lack of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

The primary impact of this vulnerability is physical safety and property damage risk due to uncontrolled drone behavior. Organizations using PX4 Autopilot in drones for commercial deliveries, industrial inspections, agriculture, or defense could face operational disruptions, financial losses, and liability issues if drones fly away or crash. Loss of control could also endanger people in the vicinity, raising safety and regulatory concerns. The flaw does not directly compromise data confidentiality or integrity but affects availability and operational safety. The ease of triggering the issue is moderate, requiring mode switching while armed but no complex exploitation or remote access. The scope is broad given PX4's global adoption in various drone platforms. This vulnerability could undermine trust in autonomous drone operations and complicate compliance with aviation safety regulations.

To mitigate this vulnerability, organizations should immediately review and update operational procedures to avoid switching from Auto to Manual mode while the drone is armed and before automatic disarm occurs. Operators must ensure the throttle stick is at the lowest position before mode changes. Until a software patch is released, enforcing strict manual controls and pilot training is critical. Monitoring firmware updates from PX4 developers and applying patches promptly once available is essential. Additionally, implementing hardware or software interlocks that prevent mode switching under unsafe throttle conditions can reduce risk. Conducting thorough pre-flight and post-landing checks to confirm drone states can help prevent accidental triggering. For critical deployments, consider using alternative autopilot software versions or vendors that do not exhibit this flaw. Finally, integrating telemetry alerts for unexpected mode changes or throttle positions can provide early warnings to operators.