PX4 autopilot is a flight control solution for drones. Prior to 1.17.0-rc2, The crsf_rc parser accepts an oversized variable-length known packet and copies it i…

CVE-2026-32706 affects PX4 autopilot flight control software for drones prior to version 1.17.0-rc2. The vulnerability exists in the crsf_rc parser which accepts oversized variable-length packets and copies them into a fixed 64-byte buffer without bounds checking. An adjacent or raw-serial attacker can exploit this to trigger memory corruption and crash the PX4 system. The issue occurs when crsf_rc is enabled on a CRSF serial port. This represents a significant security risk for drone operations as it can cause flight control system crashes. The vulnerability has been patched in version 1.17.0-rc2.