CVE-2026-32706 is a classic buffer overflow vulnerability identified in the PX4-Autopilot software, a widely used open-source flight control system for drones. The vulnerability exists in the crsf_rc parser component, which handles packets received over the CRSF serial protocol. Specifically, prior to version 1.17.0-rc2, the parser accepts variable-length known packets but copies them into a fixed-size global buffer of 64 bytes without verifying that the input size fits within this buffer. This lack of bounds checking leads to a buffer overflow condition when an oversized packet is processed. An attacker with access to the CRSF serial port—typically requiring adjacency or direct serial access—can send a maliciously crafted packet that triggers memory corruption. This corruption can cause the PX4 autopilot software to crash, resulting in denial of service and potentially impacting the drone's flight control integrity. The vulnerability does not expose confidentiality risks but threatens system integrity and availability. Exploitation does not require privileges or user interaction, increasing its risk profile. The flaw is addressed in PX4 version 1.17.0-rc2 by adding proper bounds checking to the packet copy operation. No public exploits have been reported to date, but the vulnerability's nature and ease of exploitation warrant prompt remediation in affected deployments.

The primary impact of CVE-2026-32706 is on the integrity and availability of drone flight control systems using PX4 autopilot with CRSF enabled. Successful exploitation can cause memory corruption leading to crashes or unpredictable behavior of the autopilot software. This can result in loss of control or forced landing of drones, posing safety risks, especially in commercial, industrial, or governmental drone operations. Organizations relying on PX4 for critical drone missions—such as surveying, delivery, inspection, or defense—may experience operational disruptions, financial losses, or safety incidents. Since exploitation requires adjacency or direct serial access, remote attacks are less likely unless the CRSF interface is exposed over a network or physically accessible. However, insider threats or attackers with physical proximity could leverage this vulnerability. The lack of confidentiality impact limits data leakage concerns, but the availability and integrity risks are significant given the safety-critical nature of drone autopilots.

1. Upgrade PX4-Autopilot to version 1.17.0-rc2 or later, where the vulnerability is patched with proper bounds checking. 2. Restrict access to the CRSF serial port by implementing physical security controls to prevent unauthorized proximity or connection. 3. If possible, disable the crsf_rc parser or CRSF protocol on serial ports that do not require it to reduce the attack surface. 4. Employ network segmentation and access controls to isolate drone control interfaces from untrusted networks or users. 5. Monitor drone system logs and behavior for anomalies that could indicate exploitation attempts or crashes. 6. Conduct regular security audits of drone firmware versions and configurations to ensure compliance with updated security standards. 7. For deployments with remote or wireless CRSF interfaces, consider additional encryption or authentication layers to prevent unauthorized packet injection. 8. Train operators and maintenance personnel on the importance of firmware updates and physical security around drone control hardware.