Mitsubishi Electric MELSEC iQ-F Series Ethernet Modules Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Ethernet function of Mitsubishi Electric's MELSEC iQ-F Series FX5-ENET/IP Ethernet Module (versions 1.106 and prior) and the FX5-EIP EtherNet/IP Module (all versions). This vulnerability allows remote attackers to disrupt service by continuously sending UDP packets, causing the receive buffer to become depleted. As a result, the product enters a DoS state, from which recovery requires a system reset.

Impact

Exploitation of this vulnerability leads to uncontrolled consumption of the receive buffer, causing a denial-of-service condition that requires a system reset for recovery.

Remediation

Users of the FX5-ENET/IP module should update to version 1.107 or later. For the FX5-EIP module, a fixed version is expected to be released soon. Until then, users should apply the recommended mitigations. For CVE-2026-1876, there are no plans to release a fixed version, and users should also apply the suggested mitigations.