The vulnerability identified as CVE-2026-32724 affects PX4-Autopilot, an open-source flight control software widely used in drones. The issue is a heap-based use-after-free (CWE-416) occurring in the MavlinkShell::available() function due to a race condition between two concurrent threads: the MAVLink receiver thread, responsible for creating and destroying shell instances, and the telemetry sender thread, which polls these shells for output availability. This concurrency flaw allows the telemetry thread to access memory that has already been freed by the receiver thread, leading to undefined behavior such as crashes or potential memory corruption. The vulnerability can be remotely triggered by sending specially crafted MAVLink SERIAL_CONTROL messages (message ID 126) from an external ground station or automated script. Notably, no authentication or user interaction is required to exploit this flaw, though the CVSS vector indicates a high attack complexity, implying some conditions must be met for successful exploitation. The impact primarily affects availability, as exploitation can cause the autopilot software to crash, potentially leading to loss of drone control. The issue was addressed and fixed in PX4 version 1.17.0-rc1. No public exploits have been reported to date, but the vulnerability poses a risk to any systems running vulnerable PX4 versions with exposed MAVLink interfaces.

This vulnerability can significantly impact organizations relying on PX4-Autopilot for drone operations, including commercial drone service providers, research institutions, and defense contractors. Exploitation can cause denial of service by crashing the autopilot software, potentially resulting in loss of drone control, mission failure, or physical damage. This is particularly critical for drones used in sensitive or high-risk environments such as infrastructure inspection, delivery services, agriculture, or military applications. The remote triggerability without authentication increases the attack surface, especially if MAVLink communication channels are exposed or insufficiently protected. While no direct confidentiality or integrity impact is indicated, availability loss can disrupt operations and cause safety hazards. The medium CVSS score reflects moderate severity but the operational consequences in real-world drone deployments could be substantial. Organizations may face operational downtime, financial losses, and reputational damage if drones become inoperable or crash due to exploitation.

To mitigate this vulnerability, organizations should upgrade PX4-Autopilot to version 1.17.0-rc1 or later where the issue is fixed. Until upgrading is possible, restrict MAVLink communication to trusted and authenticated sources only, ideally over secure channels such as encrypted telemetry links or VPNs to prevent unauthorized message injection. Implement network segmentation and firewall rules to limit access to MAVLink ports from untrusted networks. Employ runtime monitoring and anomaly detection on drone telemetry to identify unusual MAVLink message patterns that could indicate exploitation attempts. Developers should review and harden concurrent thread handling in PX4 code to prevent similar race conditions. Additionally, consider implementing watchdog mechanisms to safely recover or land drones in case of autopilot crashes. Regularly audit and update drone software and firmware to incorporate security patches promptly.