CVE-2026-0404

CWE-20 — Improper Input Validation3 documents3 sources

Severity

4.8MEDIUM

EPSS

0.1%

top 64.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netgear Rbr750 Netgear Rbr840 Netgear Rbr850 +21 more

Timeline

PublishedJan 13

Description

An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default.

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages24 packages

▶CVEListV5netgear/rbr750< v7.2.8.5

▶CVEListV5netgear/rbr840< v7.2.8.5

▶CVEListV5netgear/rbr850< v7.2.8.5

▶CVEListV5netgear/rbr860< v7.2.8.5

▶CVEListV5netgear/rbs750< v7.2.8.5

Patches

Patch: kb.netgear.com ↗Patch: www.netgear.com ↗Patch: www.netgear.com ↗

🔴Vulnerability Details

GHSA

GHSA-jvf4-gm9f-33g9: An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi↗2026-01-13

▶

CVEList

Insufficient input validation in NETGEAR Orbi routers↗2026-01-13

▶