Skip to main content

NETGEAR Orbi CVE-2026-3088

| EUVDEUVD-2026-35456 MEDIUM
Out-of-bounds Write (CWE-787)
2026-06-09 NETGEAR GHSA-r4pc-3chm-q76v
4.9
CVSS 4.0 · Vendor: NETGEAR
Share

Severity by source

Vendor (NETGEAR) PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:L/U:Amber

Primary rating from Vendor (NETGEAR) · only source for this CVE.

CVSS VectorVendor: NETGEAR

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:L/U:Amber
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 09, 2026 - 20:04 vuln.today
CVSS changed
Jun 09, 2026 - 17:22 NVD
4.9 (MEDIUM)
CVE Published
Jun 09, 2026 - 15:50 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Unauthenticated users on the local network can cause the router to become unavailable by sending specially crafted requests.

AnalysisAI

Denial-of-service via out-of-bounds write in NETGEAR Orbi mesh router and satellite firmware allows unauthenticated, adjacent-network attackers to render affected devices unavailable by sending specially crafted requests. The vulnerability affects multiple Orbi 860/950/960/970/971-series devices across a broad firmware version range, with fixed builds available per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis (CVSS E:U), though the low attack complexity and absence of any authentication requirement make this straightforward to reproduce for any attacker with local network access.

Technical ContextAI

CWE-787 (Out-of-Bounds Write) indicates that the router's request-handling code writes data beyond the bounds of an allocated memory buffer, consistent with the 'Buffer Overflow' and 'Memory Corruption' tags. In embedded router firmware, such a write typically corrupts adjacent heap or stack memory structures, leading to a process crash or kernel panic that takes the device offline. The CVSS 4.0 vector AV:A confirms the attack surface is the adjacent local network (e.g., LAN/Wi-Fi segment), meaning the vulnerability resides in a service listening on a local-facing interface rather than the WAN. Affected products span NETGEAR's Orbi 860, 950, 960, 970, and 971 series (CPE: cpe:2.3:a:netgear:rbr860, rbre950, rbre960, rbre970, rbre971, rbs860, rbse950, rbse960), covering both router (RBR/RBRE) and satellite (RBS/RBSE) units in the mesh system.

RemediationAI

The primary fix is upgrading affected devices to the vendor-released patched firmware. For the 860/950/960 series (RBR860, RBS860, RBRE950, RBSE950, RBRE960, RBSE960), upgrade to firmware V7.2.7.15 or later. For the 970/971 series (RBRE970, RBRE971), upgrade to V9.10.1.4 or later. Firmware can be obtained from NETGEAR's product support pages linked in the references above or via the Orbi mobile app's automatic update function. If immediate patching is not possible, a targeted compensating control is to restrict Wi-Fi access to trusted devices only using MAC address filtering or WPA3-Enterprise with certificate-based authentication, which limits the pool of adjacent-network attackers - note that MAC filtering alone is bypassable by spoofing and should not be treated as a security boundary. Network segmentation (placing the Orbi management interface on a VLAN inaccessible to untrusted clients) reduces exposure but does not eliminate it. Guest network isolation, if enabled, prevents guest-segment attackers from reaching the primary LAN-facing service.

Share

CVE-2026-3088 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy