CVE-2026-0404

Description

An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default.

PUBLISHED Reserved 2025-12-03 | Published 2026-01-13 | Updated 2026-01-14 | Assigner NETGEAR

Problem types

CWE-20 Improper Input Validation

Product status

Credits

Hyunseok Yun finder

References

www.netgear.com/support/product/rbre960 patch product

www.netgear.com/support/product/rbse960 product patch

www.netgear.com/support/product/rbr850 product patch

www.netgear.com/support/product/rbs850 product patch

www.netgear.com/support/product/rbr860 product patch

www.netgear.com/support/product/rbs860 product patch

www.netgear.com/support/product/rbre950 product patch

www.netgear.com/support/product/rbse950 product patch

www.netgear.com/support/product/rbr750 product patch

www.netgear.com/support/product/rbs750 product patch

www.netgear.com/support/product/rbr840 product patch

www.netgear.com/support/product/rbs840 product patch

kb.netgear.com/...442/January-2026-NETGEAR-Security-Advisory vendor-advisory

cve.org (CVE-2026-0404)

nvd.nist.gov (CVE-2026-0404)

Download JSON