PX4 Autopilot Throttle Safety Check Bypass Vulnerability in Mode Switching Logic

A vulnerability exists in PX4 Autopilot versions 1.12.x through 1.15.x, where the "Re-arm Grace Period" logic improperly applies in-air emergency re-arm procedures to ground situations. This flaw allows a drone to bypass critical pre-flight safety checks, including the throttle threshold, leading to uncommanded high-thrust takeoffs. The issue arises when a pilot switches to Manual mode and re-arms within 5 seconds of an automatic landing, creating a risk of loss of control.

Impact

Exploitation of this vulnerability can cause a drone to perform an immediate, uncommanded takeoff at high throttle, bypassing standard safety checks. This behavior can lead to a flyaway situation, where the drone ascends rapidly without control, potentially causing crashes, property damage, or personal injury.

Reproduction

The vulnerability can be reproduced in the PX4 Autopilot Software In The Loop (SITL) simulation environment. After landing a drone that is still armed, raise the throttle stick and switch to Manual mode. The drone will immediately take off at a high throttle, ignoring the usual safety checks.

Remediation

To address this vulnerability, a pre-transition safety check should be implemented. The system must verify if the vehicle is armed and if the throttle is below a certain threshold before allowing a mode switch to Manual. Until this fix is applied, operators should manually disarm the drone and ensure the throttle is at its lowest position before changing flight modes.