CVE-2026-0404
Severity CVSS v4.0:
MEDIUM
Type:
CWE-20
Input Validation
Publication date:
13/01/2026
Last modified:
14/01/2026
Description
An insufficient input validation vulnerability in NETGEAR Orbi devices&#39; <br />
DHCPv6 functionality allows network adjacent attackers authenticated <br />
over WiFi or on LAN to execute OS command injections on the router. <br />
DHCPv6 is not enabled by default.
References to Advisories, Solutions, and Tools
- https://kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisory
- https://www.netgear.com/support/product/rbr750
- https://www.netgear.com/support/product/rbr840
- https://www.netgear.com/support/product/rbr850
- https://www.netgear.com/support/product/rbr860
- https://www.netgear.com/support/product/rbre950
- https://www.netgear.com/support/product/rbre960
- https://www.netgear.com/support/product/rbs750
- https://www.netgear.com/support/product/rbs840
- https://www.netgear.com/support/product/rbs850
- https://www.netgear.com/support/product/rbs860
- https://www.netgear.com/support/product/rbse950
- https://www.netgear.com/support/product/rbse960