Use After Free Vulnerability in PX4-Autopilot by PX4
CVE-2025-9020

2LOW

Key Information:

Vendor: Px4
Status: Px4-autopilot
Vendor: CVE Published:; 15 August 2025

What is CVE-2025-9020?

A local use after free vulnerability exists in the MavlinkReceiver component of PX4-Autopilot versions up to 1.15.4. Specifically, this issue arises in the handle_message_serial_control function, affecting the argument _mavlink_shell. Exploiting this vulnerability requires high complexity, making it a challenging attack for potential intruders. Patch identification is 4395d4f00c49b888f030f5b43e2a779f1fa78708, and it is essential for users to apply the provided patch to mitigate this vulnerability effectively.

Affected Version(s)

PX4-Autopilot 1.15.0

PX4-Autopilot 1.15.1

PX4-Autopilot 1.15.2

References

https://vuldb.com/?id.320081

vdb-entrytechnical-description

https://vuldb.com/?ctiid.320081

signaturepermissions-required

https://vuldb.com/?submit.624722

third-party-advisory

CVSS V4

Score:

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 15, 2025
Vulnerability Reserved
Aug 14, 2025

Credit

0x20z (VulDB User)