Skip to main content

NETGEAR Orbi CVE-2026-0413

| EUVDEUVD-2026-35462 MEDIUM
Stack-based Buffer Overflow (CWE-121)
2026-06-09 NETGEAR GHSA-5vq9-cj6j-3h3r
4.3
CVSS 4.0 · Vendor: NETGEAR
Share

Severity by source

Vendor (NETGEAR) PRIMARY
4.3 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (NETGEAR) · only source for this CVE.

CVSS VectorVendor: NETGEAR

CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 20:13 vuln.today
CVSS changed
Jun 09, 2026 - 17:22 NVD
4.3 (MEDIUM)
CVE Published
Jun 09, 2026 - 15:50 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Insufficient input validation of buffers vulnerability in the listed NETGEAR models allows authenticated administrators connected to the local network to make unauthorized modification of router software and functionality.

AnalysisAI

Stack-based buffer overflow in NETGEAR Orbi mesh router firmware (RBE, RBR, RBS series) enables authenticated administrators with local network access to submit malformed buffer input that bypasses validation and triggers unauthorized modification of router software and functionality. The attack surface is significantly constrained by the requirement for both administrative credentials (PR:H) and adjacent network positioning (AV:A), limiting realistic exposure to insider threats or scenarios where an attacker has already compromised admin credentials within the LAN. No public exploit identified at time of analysis, SSVC confirms exploitation status as none, and vendor-released patches are available across all affected model lines.

Technical ContextAI

CWE-121 (Stack-based Buffer Overflow) describes the root cause: the router firmware fails to properly validate the length or content of input written to stack-allocated buffers, allowing a write beyond buffer boundaries that can corrupt adjacent stack data. This class of vulnerability in embedded network device firmware typically manifests in HTTP-based administration interfaces or internal RPC/IPC mechanisms where user-supplied data is copied into fixed-size stack buffers without bounds checking. The affected products are NETGEAR Orbi mesh networking devices spanning the RBE (Ethernet backhaul), RBR (router base units), and RBS (satellite units) product families, as identified by CPE strings: cpe:2.3:a:netgear:rbe37x, rbe77x, rbr750, rbr840, rbr850, rbr860, rbre950, rbre960, rbs750, and rbs840. The CVSS 4.0 vector AV:A confirms exploitation requires adjacency to the local network, consistent with the device's role as a LAN router.

RemediationAI

The primary remediation is to upgrade all affected NETGEAR Orbi devices to the vendor-released patched firmware: V7.2.8.5 or later for RBR750, RBR840, RBR850, RBR860, RBRE950, RBRE960, RBS750, RBS840, RBS850, RBS860, RBSE950, and RBSE960; V10.5.20.10 or later for RBE77X; and V12.1.2.1 or later for RBE37X. Firmware updates can be obtained through the respective product support pages linked in the CVE references (e.g., netgear.com/support/product/rbr850/). Where immediate patching is not feasible, the practical compensating control is to restrict administrative interface access to a dedicated, tightly controlled management VLAN and enforce strong, unique credentials for the router admin account, as the exploit requires both adjacency and admin-level authentication. Disabling remote management features (if not already off by default) reduces the attack surface further. These controls reduce but do not eliminate risk - the vulnerability remains exploitable by anyone with legitimate admin access on the LAN until patching is complete.

Share

CVE-2026-0413 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy