CVE-2026-32724 is a heap-use-after-free vulnerability identified in the PX4-Autopilot flight control software for drones, specifically affecting versions prior to 1.17.0-rc1. The root cause is a race condition between two concurrent threads: the MAVLink receiver thread, responsible for creating and destroying shell instances, and the telemetry sender thread, which polls these shells for output availability. This concurrency flaw occurs in the MavlinkShell::available() function, where the telemetry sender thread may access memory that has already been freed by the receiver thread, leading to undefined behavior and potential crashes. The vulnerability is remotely triggerable via MAVLink SERIAL_CONTROL messages (message ID 126), which can be sent by any external entity with network access to the drone's MAVLink interface, such as a ground control station or an automated script. Exploiting this flaw does not require authentication or user interaction but does require network-level access to the MAVLink communication channel. The primary impact is on availability, as exploitation can cause the autopilot software to crash or behave unpredictably, potentially resulting in loss of drone control or mission failure. There is no indication of confidentiality or integrity compromise. PX4 addressed this issue in version 1.17.0-rc1 by fixing the race condition and ensuring proper synchronization between threads. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 5.3, reflecting medium severity due to the remote triggerability and impact on availability, balanced by the requirement for network access and the complexity of exploitation.

The primary impact of CVE-2026-32724 is on the availability of drone flight control systems using vulnerable PX4-Autopilot versions. Successful exploitation can cause heap-use-after-free conditions leading to crashes or unpredictable behavior of the autopilot software. This can result in loss of control over drones during flight, potentially causing mission failures, physical damage to the drone, or safety hazards to people and property nearby. Since PX4 is widely used in commercial, research, and hobbyist drone platforms, organizations relying on these drones for critical operations such as surveying, delivery, inspection, or defense could face operational disruptions. However, the vulnerability does not affect confidentiality or integrity, so data theft or manipulation is not a direct concern. The requirement for network access to the MAVLink interface limits the attack surface to entities able to communicate with the drone’s telemetry system, which may be mitigated by network segmentation or secure communication channels. Nonetheless, the risk remains significant for drones operating in exposed or hostile environments where attackers can send crafted MAVLink messages.

To mitigate CVE-2026-32724, organizations should immediately upgrade PX4-Autopilot software to version 1.17.0-rc1 or later, where the race condition is resolved. In addition to patching, implement strict network controls to limit access to the MAVLink interface, such as using firewalls, VPNs, or encrypted communication channels to prevent unauthorized message injection. Employ authentication and message integrity mechanisms for MAVLink communications where possible to reduce the risk of malicious commands. Monitor drone telemetry and logs for unusual or unexpected SERIAL_CONTROL messages that could indicate exploitation attempts. For critical deployments, consider isolating drone control networks from public or untrusted networks. Conduct regular security assessments and code reviews on drone software to detect concurrency issues and other vulnerabilities early. Finally, maintain an incident response plan tailored to drone operations to quickly address any autopilot failures or suspicious activities.