CVE-2026-1876
Published: 03 March 2026
Summary
CVE-2026-1876 is a high-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Mitsubishielectric Melsec Iq-F Fx5-Enet\/Ip Firmware. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Direct Network Flood (T1498.001); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-1876 is an Improper Resource Shutdown or Release vulnerability classified under CWE-404, affecting all versions of the Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module. Published on 2026-03-03, this flaw enables a remote attacker to induce a denial-of-service (DoS) condition on the affected products by continuously sending UDP packets, with the CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflecting high availability impact without confidentiality or integrity disruption.
Any remote attacker with network access to the device can exploit this vulnerability, requiring low complexity, no privileges, and no user interaction. Exploitation disrupts device availability through resource exhaustion, rendering the module unresponsive until a manual system reset is performed for recovery.
Advisories providing mitigation guidance and patch information include JVN VU#93286687 at https://jvn.jp/vu/JVNVU93286687/, CISA ICSA-26-62-01 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-62-01, and Mitsubishi Electric PSIRT document 2025-021 at https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-021_en.pdf.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9282
Vulnerability details
Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to the products.…
more
A system reset of the product is required for recovery.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote UDP flood causing resource exhaustion and DoS on the target module.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements controls to protect against denial-of-service attacks via UDP packet floods causing resource exhaustion as in this CVE.
Ensures timely remediation of the improper resource shutdown flaw through patching, as advised in related advisories for this CVE.
Monitors and controls communications at network boundaries to block or detect excessive UDP traffic exploiting this vulnerability.