Insufficient Input Validation in NETGEAR Orbi DHCPv6 Allows OS Injection
CVE-2026-0404 Published on January 13, 2026

Insufficient input validation in NETGEAR Orbi routers
An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default.

Vendor Advisory NVD

Weakness Type

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Products Associated with CVE-2026-0404

Want to know whenever a new CVE is published for Netgear products? stack.watch will email you.

Netgear Rbre960

Netgear Rbse960

Netgear Rbr850

Netgear Rbs850

Netgear Rbr860

Netgear Rbs860

Netgear Rbre950

Netgear Rbse950

Netgear Rbr750

Netgear Rbs750

Netgear Rbr840

Netgear Rbs840

Affected Versions

NETGEAR RBRE960:

Before v7.2.8.5 is affected.

NETGEAR RBSE960:

Before v7.2.8.5 is affected.

NETGEAR RBR850:

Before v7.2.8.5 is affected.

NETGEAR RBS850:

Before v7.2.8.5 is affected.

NETGEAR RBR860:

Before v7.2.8.5 is affected.

NETGEAR RBS860:

Before v7.2.8.5 is affected.

NETGEAR RBRE950:

Before v7.2.8.5 is affected.

NETGEAR RBSE950:

Before v7.2.8.5 is affected.

NETGEAR RBR750:

Before v7.2.8.5 is affected.

NETGEAR RBS750:

Before v7.2.8.5 is affected.

NETGEAR RBR840:

Before v7.2.8.5 is affected.

NETGEAR RBS840:

Before v7.2.8.5 is affected.

Exploit Probability

EPSS

0.17%

Percentile

37.84%