Assessment
CFSE Consequence Paths assesses PX4 Autopilot MAVLink Unauthenticated Remote Shell (CVE-2026-1579) at EMERGENCY — the worst of 2 risk paths (safety, perception). The dominant consequence is influence over a safety-relevant actuation.
Vulnerability
PX4 Autopilot MAVLink Unauthenticated Remote Shell (CVE-2026-1579). Reported attack vector: Network (MAVLink interface, typically UDP/serial/radio link to ground control station).
CFSE Consequence Paths analysis
The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.
DEVICE_CONTROL_SAFETY → EMERGENCY
CPATH:1.0-candidate/TT:DEVICE_CONTROL_SAFETY/RE:4/EC:4/EX:4/PH:4/DP:4/AT:4/CH:4/SR:4/SX:4/OR:3/EV:2/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=EMERGENCY · DP=EMERGENCY · AT=EMERGENCY → base EMERGENCY · uplift fleet-reachable authority → assessed EMERGENCY.
- RE4 — reachable by anyone with network/radio access to MAVLink, frequently open UDP/unauthenticated radio, default signing disabled.
- EC4 — single crafted SERIAL_CONTROL message, no memory-corruption primitive, AC:L.
- AT4 — interactive shell = total control of the autopilot, the highest-authority component on the vehicle, equivalent to control-plane/firmware-level authority over the flight computer.
- PH4 — attacker can disarm, alter mission, command flight, or crash the vehicle; CISA notes catastrophic physical damage.
- DP4 — shell can read and inject into perception/control loops (nav, sensor state) that drive flight;
- perception_feeds_action — true.
- CH4 — cross-domain bridge from network/radio into device shell and physical actuation, reusable across the fleet;
- boundary_crossing — across link/device/physical/safety.
- SR4 — missing-auth design default in widely deployed open-source firmware, single reused technique, no per-target artifact.
- SX4 — fleet-scale remote, trivially repeatable against any PX4 vehicle with signing disabled, no per-device access needed.
- OR3 — recovery is a configuration/hardening change (enable MAVLink 2.0 signing + network segmentation) across affected vehicles, not a per-device recall or signing-root rotation.
- EV2 — report-backed (CVE/ICSA advisory), not reproduced here.
DATA_PRIVACY → CRITICAL
CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:4/EC:4/EX:4/PH:4/DP:3/AT:4/CH:3/SR:4/SX:4/OR:3/EV:2/LS:PATCH_AVAILABLE
Exposure EX=4 (reachability and complexity-bound) · bands PH=EMERGENCY · DP=CRITICAL · AT=EMERGENCY → base EMERGENCY · uplift fleet-reachable authority · caps privacy-only cap → assessed CRITICAL.
- Same position (RE4) and execution (EC4) as the control path: unauthenticated MAVLink reachability + single SERIAL_CONTROL message yielding a shell.
- AT4 — full shell authority over the flight controller.
- PH0 — pure data exfiltration path, no direct physical/safety effect.
- DP3 — exfiltration of telemetry, mission data, and onboard storage (operational/proprietary/sensitive-op-state); this read-out does not by itself drive physical action so perception_feeds_action=false.
- CH3 — /boundary_crossing: crosses network/device boundary to extract device-held data, reusable.
- SR4 — same shared missing-auth design default, portable technique.
- SX4 — fleet-scale remote exfiltration without per-device access.
- OR3 — same config/hardening remediation.
- EV2 — report-backed.
Published baseline
- v4.0 9.3 CRITICAL —
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X — CISA/ICS-CERT via NVD
- v3.1 9.8 CRITICAL —
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — CISA/ICS-CERT via NVD
The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.
Sources