CVE-2026-8806
CVE-2026-8806 is a high-severity vulnerability with a CVSS 4.0 base score of 8.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-440.
Key facts
- Severity: High (CVSS 4.0 base score 8.7)
- EPSS exploit prediction: 0% (29th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-37975
- Weakness: CWE-440
- Published:
- Last modified:
Description
Expected Behavior Violation vulnerability in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition in the affected product by continuously sending a large number of communication packets to the Ethernet port of the product in a short period of time, increasing the processing load of the product, preventing the internal anomaly-detection processing from being performed, and causing the communication function to stop.
Frequently asked questions
- What is CVE-2026-8806?
- Expected Behavior Violation vulnerability in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition in the affected product by continuously sending a large number of communication packets to the Ethernet port of the product in a short period of time, increasing the processing load of the product, preventing the internal anomaly-detection processing from being performed, and causing the communication function to stop.
- How severe is CVE-2026-8806?
- CVE-2026-8806 has a CVSS 4.0 base score of 8.7, rated high severity.
- Is CVE-2026-8806 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (29th percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-8806?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-8806 have an EU (EUVD) identifier?
- Yes. CVE-2026-8806 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-37975.
- When was CVE-2026-8806 published?
- CVE-2026-8806 was published on 2026-06-19 and last updated on 2026-06-22.
References
- https://jvn.jp/vu/JVNVU97140216/
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-169-06
- https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2026-003_en.pdf
Other CWE-440 vulnerabilities
- CVE-2019-6569 — Critical (CVSS 9.1): The monitor barrier of the affected products insufficiently blocks data from being forwarded over the mirror port into…
- CVE-2024-32971 — Critical (CVSS 9.0): Apollo Router is a configurable, graph router written in Rust to run a federated supergraph that uses Apollo Federation…
- CVE-2025-8850 — High (CVSS 8.8): In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA)…
- CVE-2018-12550 — High (CVSS 8.1): When Eclipse Mosquitto version 1.0 to 1.5.5 (inclusive) is configured to use an ACL file, and that ACL file is empty,…
- CVE-2023-4807 — High (CVSS 7.8): Issue summary: The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the…
- CVE-2024-30246 — High (CVSS 7.6): Tuleap is an Open Source Suite to improve management of software developments and collaboration. A malicious user could…