PatchSiren cyber security CVE debrief
CVE-2026-1579 PX4 CVE debrief
CVE-2026-1579 describes a high-impact authentication weakness in PX4 Autopilot deployments that use MAVLink without 2.0 message signing. According to CISA, when signing is not enabled, an unauthenticated party with access to the MAVLink interface can send messages, including SERIAL_CONTROL, which can provide interactive shell access. PX4’s mitigation is to enable MAVLink 2.0 message signing so unsigned messages are rejected at the protocol level. CISA published the advisory on 2026-03-31; the supplied SSVC note indicates an exploitation status of E:N/A:Y as of 2026-03-30.
- Vendor
- PX4
- Product
- Autopilot
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-31
- Original CVE updated
- 2026-03-31
- Advisory published
- 2026-03-31
- Advisory updated
- 2026-03-31
Who should care
PX4 integrators, drone/UAS operators, OEMs, fleet maintainers, and any defenders responsible for systems exposing a MAVLink interface. This is most important for deployments where message signing is disabled or inconsistently enforced on non-USB links.
Technical summary
The issue is not a buffer overflow or code-execution flaw in the traditional sense; it is a missing authentication control on MAVLink traffic by default. If MAVLink 2.0 message signing is not enabled, the protocol will accept commands from an unauthenticated party with interface access. CISA specifically calls out SERIAL_CONTROL as an example of a message that can grant interactive shell access. PX4 states that message signing is its cryptographic authentication mechanism for MAVLink communication, and that signed-mode enforcement rejects unsigned messages at the protocol layer.
Defensive priority
Critical priority. The advisory maps to CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and the documented impact can include full compromise of confidentiality, integrity, and availability for reachable MAVLink deployments. Treat as urgent for any exposed or operational MAVLink interface with signing disabled.
Recommended defensive actions
- Enable MAVLink 2.0 message signing on all non-USB communication links, as recommended by PX4.
- Verify that unsigned MAVLink messages are rejected everywhere signing is intended to be enforced.
- Review PX4 hardening guidance for integrators and manufacturers and align fleet configuration with the published security hardening documentation.
- Audit deployments to identify any system where MAVLink interface access is reachable without cryptographic authentication.
- Confirm operational procedures for key management and signing configuration so protections remain enabled after updates or rebuilds.
- Prioritize immediate remediation for any production, test, or fielded system that can accept MAVLink commands from untrusted network paths.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-26-090-02 for CVE-2026-1579, published and modified on 2026-03-31. The advisory states that MAVLink does not require cryptographic authentication by default, that unauthenticated parties can send messages when MAVLink 2.0 signing is disabled, and that SERIAL_CONTROL can provide interactive shell access. It also states that PX4 uses MAVLink 2.0 message signing and rejects unsigned messages when signing is enabled. The supplied timeline contains no KEV listing for this CVE.
Official resources
-
CVE-2026-1579 CVE record
CVE.org
-
CVE-2026-1579 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in advisory ICSA-26-090-02 on 2026-03-31. No KEV listing is provided in the supplied timeline.