Vulnerability in MAVLink Communication Protocol Impacting PX4 Systems
CVE-2026-1579

9.3CRITICAL

Key Information:

Vendor

Px4

Status
Autopilot
Vendor
CVE Published:
31 March 2026

What is CVE-2026-1579?

The MAVLink communication protocol, utilized in various unmanned systems, lacks default cryptographic authentication, exposing systems to unauthorized access. Specifically, when MAVLink 2.0 message signing is disabled, an unauthenticated entity can send arbitrary messages, including those that provide interactive shell access through the SERIAL_CONTROL command. To mitigate this risk, PX4 offers MAVLink 2.0 message signing, which serves as a cryptographic authentication mechanism, ensuring that only signed messages are processed and potentially harmful unsigned messages are rejected at the protocol level. Implementing this signing process is crucial for safeguarding MAVLink communications.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Autopilot v1.16.0 SITL

References

https://docs.px4.io/main/en/mavlink/security_hardening
https://docs.px4.io/main/en/mavlink/message_signing
https://www.cisa.gov/news-events/ics-advisories/icsa-26-0...

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Dolev Aviv of Cyviation reported this vulnerability to CISA.
JSON
.