What is CVE-2025-9020?

CVE-2025-9020 is a medium-severity vulnerability in Px4 Px4-autopilot, classified under Use After Free. CVSS score: 4.5/10. Published 2025-08-15.

How severe is CVE-2025-9020?

Medium severity. CVSS v3 base score is 4.5 out of 10.

Use After Free in Px4 Px4-autopilot

CVE-2025-9020

A vulnerability was found in PX4 PX4-Autopilot up to 1.15.4. This issue affects the function MavlinkReceiver::handle_message_serial_control of the file src/modules/mavlink/mavlink_receiver.cpp of the component Mavlink Shell Closing Handler…

Vulnerability class: Use-After-Free

EPSS: 0.000 (7.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.5 (Medium). Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C.

Affected products

Px4 Px4-autopilot — versions 1.15.0, 1.15.1, 1.15.2

Weakness classification (CWE)

References

VDB-320081 | PX4 PX4-Autopilot Mavlink Shell Closing mavlink_receiver.cpp handle_message_serial_control use after free (vdb-entry, technical-description)
VDB-320081 | CTI Indicators (IOB, IOC, IOA) (signature, permissions-required)
Submit #624722 | PX4 PX4-Autopilot main and v1.15.4 Race Condition in File Access (third-party-advisory)
github.com/PX4/PX4-Autopilot/issues/25046 (issue-tracking)
github.com/PX4/PX4-Autopilot/pull/25082 (issue-tracking)
github.com/PX4/PX4-Autopilot/pull/25082/commits/4395d4f00c49b888f030f5b43e2a779… (issue-tracking, patch)

Frequently asked questions

What is CVE-2025-9020?: CVE-2025-9020 is a medium-severity vulnerability in Px4 Px4-autopilot, classified under Use After Free. CVSS score: 4.5/10. Published 2025-08-15.
How severe is CVE-2025-9020?: Medium severity. CVSS v3 base score is 4.5 out of 10.