Unrated severityNVD Advisory· Published Jan 13, 2026· Updated Feb 26, 2026

Insufficient input validation in NETGEAR Orbi routers

CVE-2026-0404

Description

An insufficient input validation vulnerability in NETGEAR Orbi devices' DHCPv6 functionality allows network adjacent attackers authenticated over WiFi or on LAN to execute OS command injections on the router. DHCPv6 is not enabled by default.

Affected products

Netgear/Orbillm-create
NETGEAR/RBR750v5
Range: 0
NETGEAR/RBR840v5
Range: 0
NETGEAR/RBR850v5
Range: 0
NETGEAR/RBR860v5
Range: 0
NETGEAR/RBRE950v5
Range: 0
NETGEAR/RBRE960v5
Range: 0
NETGEAR/RBS750v5
Range: 0
NETGEAR/RBS840v5
Range: 0
NETGEAR/RBS850v5
Range: 0
NETGEAR/RBS860v5
Range: 0
NETGEAR/RBSE950v5
Range: 0
NETGEAR/RBSE960v5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.netgear.com/support/product/rbr750mitreproductpatch
www.netgear.com/support/product/rbr840mitreproductpatch
www.netgear.com/support/product/rbr850mitreproductpatch
www.netgear.com/support/product/rbr860mitreproductpatch
www.netgear.com/support/product/rbre950mitreproductpatch
www.netgear.com/support/product/rbre960mitrepatchproduct
www.netgear.com/support/product/rbs750mitreproductpatch
www.netgear.com/support/product/rbs840mitreproductpatch
www.netgear.com/support/product/rbs850mitreproductpatch
www.netgear.com/support/product/rbs860mitreproductpatch
www.netgear.com/support/product/rbse950mitreproductpatch
www.netgear.com/support/product/rbse960mitreproductpatch
kb.netgear.com/000070442/January-2026-NETGEAR-Security-Advisorymitrevendor-advisory

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000