CVE-2026-26673
Published: 04 March 2026
Summary
CVE-2026-26673 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Dji Mavic Mini Firmware. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 47.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-26673 is a denial-of-service vulnerability in the DJI Enhanced-WiFi transmission subsystem of specific DJI drone models, including Mavic Mini, Spark, Mavic Air, Mini, and Mini SE running firmware version 0.1.00.0500 and below. Classified under CWE-400 (Uncontrolled Resource Consumption), the flaw enables resource exhaustion, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A remote attacker can exploit this vulnerability over the network with low attack complexity, no required privileges, and no user interaction. Exploitation leads to a denial of service, severely impacting the affected drone's availability by disrupting WiFi transmission without compromising confidentiality or integrity.
Mitigation details and further technical analysis are available in the referenced GitHub repository at https://github.com/ByteMe1001/DJI-CatNect.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9420
Vulnerability details
An issue in DJI Mavic Mini, Spark, Mavic Air, Mini, Mini SE 0.1.00.0500 and below allows a remote attacker to cause a denial of service via the DJI Enhanced-WiFi transmission subsystem
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote network-exploitable flaw (CWE-400) that directly causes resource exhaustion and denial of service against the drone's WiFi subsystem; this maps exactly to T1499.004 (Application or System Exploitation) under the Endpoint Denial of Service technique.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements denial-of-service protections to counter resource exhaustion in the DJI Enhanced-WiFi transmission subsystem.
Ensures resource availability by allocating and protecting system resources against uncontrolled consumption attacks like this CVE.
Provides timely flaw remediation for the specific vulnerability in DJI drone firmware versions 0.1.00.0500 and below.