CVE-2026-32706 is a classic buffer overflow vulnerability (CWE-120) identified in the PX4-Autopilot software, a widely used open-source flight control solution for drones. The vulnerability exists in the crsf_rc parser component, which processes packets received over the CRSF serial port. Specifically, the parser accepts variable-length known packets but fails to verify that the packet size does not exceed the fixed 64-byte global buffer allocated for storage. When an oversized packet is received, it is copied into this buffer without bounds checking, resulting in memory corruption. This can lead to a crash of the PX4 system, affecting the drone's flight control software's availability and potentially its integrity. The attack vector requires an attacker to have access to the CRSF serial port, which is typically a local or adjacent interface, implying physical or network proximity. No privileges or user interaction are required to exploit this vulnerability. The flaw was addressed and fixed in PX4 version 1.17.0-rc2. The CVSS v3.1 score of 7.1 reflects the high severity due to the ease of exploitation and significant impact on availability and integrity, though confidentiality is not affected. No known exploits are reported in the wild as of the publication date. This vulnerability highlights the risks of insufficient input validation in embedded systems controlling critical drone functions.

The primary impact of CVE-2026-32706 is on the availability and integrity of drone flight control systems using PX4-Autopilot versions prior to 1.17.0-rc2. Successful exploitation can cause memory corruption leading to system crashes, resulting in denial of service of the autopilot. This can cause drones to lose control, potentially leading to unsafe flight conditions, crashes, or mission failures. For organizations relying on PX4-based drones for commercial, industrial, or governmental operations, this can translate into operational disruptions, safety hazards, financial losses, and reputational damage. Since the vulnerability requires access to the CRSF serial port, attackers with physical proximity or network access to the drone's control interface pose the greatest risk. The lack of confidentiality impact limits data leakage concerns, but the integrity and availability risks are significant, especially in safety-critical drone deployments such as delivery, surveillance, or infrastructure inspection.

To mitigate CVE-2026-32706, organizations should immediately upgrade PX4-Autopilot to version 1.17.0-rc2 or later, where the vulnerability is fixed. In addition, strict access controls should be enforced on the CRSF serial port to prevent unauthorized or adjacent attackers from sending malicious packets. This includes physical security measures to restrict direct hardware access and network segmentation to isolate drone control interfaces from untrusted networks. Implementing monitoring and anomaly detection on serial port traffic can help identify attempts to exploit the vulnerability. Developers should also review and apply secure coding practices, including rigorous input validation and bounds checking, to prevent similar buffer overflow issues. For deployments where immediate upgrade is not feasible, disabling the crsf_rc parser or the CRSF serial port if not in use can reduce exposure. Finally, conducting regular security assessments and firmware audits on drone systems will help identify and remediate vulnerabilities proactively.