Cyber Resilience

CVE-2026-26673

HighPublic PoCDDoS

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0024 47.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26673 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Dji Mavic Mini Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 47.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2026-26673 is a denial-of-service vulnerability in the DJI Enhanced-WiFi transmission subsystem of specific DJI drone models, including Mavic Mini, Spark, Mavic Air, Mini, and Mini SE running firmware version 0.1.00.0500 and below. Classified under CWE-400 (Uncontrolled Resource Consumption), the flaw enables resource exhaustion, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A remote attacker can exploit this vulnerability over the network with low attack complexity, no required privileges, and no user interaction. Exploitation leads to a denial of service, severely impacting the affected drone's availability by disrupting WiFi transmission without compromising confidentiality or integrity.

Mitigation details and further technical analysis are available in the referenced GitHub repository at https://github.com/ByteMe1001/DJI-CatNect.

EU & UK References

Vulnerability details

An issue in DJI Mavic Mini, Spark, Mavic Air, Mini, Mini SE 0.1.00.0500 and below allows a remote attacker to cause a denial of service via the DJI Enhanced-WiFi transmission subsystem

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a remote network-exploitable flaw (CWE-400) that directly causes resource exhaustion and denial of service against the drone's WiFi subsystem; this maps exactly to T1499.004 (Application or System Exploitation) under the Endpoint Denial of Service technique.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56921Shared CWE-400
CVE-2026-33538Shared CWE-400
CVE-2026-0517Shared CWE-400
CVE-2026-6051Shared CWE-400
CVE-2026-21945Shared CWE-400
CVE-2026-33750Shared CWE-400
CVE-2024-33618Shared CWE-400
CVE-2025-69534Shared CWE-400
CVE-2025-29487Shared CWE-400
CVE-2025-9278Shared CWE-400

Affected Assets

dji
mavic mini firmware
≤ 01.00.0600
dji
spark firmware
≤ 01.00.1000
dji
mini se firmware
≤ 01.02.0000

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements denial-of-service protections to counter resource exhaustion in the DJI Enhanced-WiFi transmission subsystem.

prevent

Ensures resource availability by allocating and protecting system resources against uncontrolled consumption attacks like this CVE.

prevent

Provides timely flaw remediation for the specific vulnerability in DJI drone firmware versions 0.1.00.0500 and below.

References