Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:L/U:Amber
Primary rating from Vendor (NETGEAR) · only source for this CVE.
CVSS VectorVendor: NETGEAR
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:D/RE:L/U:Amber
Lifecycle Timeline
3DescriptionCVE.org
Unauthenticated users on the local network can cause the router to become unavailable by sending specially crafted requests.
AnalysisAI
Denial-of-service via out-of-bounds write in NETGEAR Orbi mesh router and satellite firmware allows unauthenticated, adjacent-network attackers to render affected devices unavailable by sending specially crafted requests. The vulnerability affects multiple Orbi 860/950/960/970/971-series devices across a broad firmware version range, with fixed builds available per vendor advisory. No public exploit code or active exploitation has been identified at time of analysis (CVSS E:U), though the low attack complexity and absence of any authentication requirement make this straightforward to reproduce for any attacker with local network access.
Technical ContextAI
CWE-787 (Out-of-Bounds Write) indicates that the router's request-handling code writes data beyond the bounds of an allocated memory buffer, consistent with the 'Buffer Overflow' and 'Memory Corruption' tags. In embedded router firmware, such a write typically corrupts adjacent heap or stack memory structures, leading to a process crash or kernel panic that takes the device offline. The CVSS 4.0 vector AV:A confirms the attack surface is the adjacent local network (e.g., LAN/Wi-Fi segment), meaning the vulnerability resides in a service listening on a local-facing interface rather than the WAN. Affected products span NETGEAR's Orbi 860, 950, 960, 970, and 971 series (CPE: cpe:2.3:a:netgear:rbr860, rbre950, rbre960, rbre970, rbre971, rbs860, rbse950, rbse960), covering both router (RBR/RBRE) and satellite (RBS/RBSE) units in the mesh system.
RemediationAI
The primary fix is upgrading affected devices to the vendor-released patched firmware. For the 860/950/960 series (RBR860, RBS860, RBRE950, RBSE950, RBRE960, RBSE960), upgrade to firmware V7.2.7.15 or later. For the 970/971 series (RBRE970, RBRE971), upgrade to V9.10.1.4 or later. Firmware can be obtained from NETGEAR's product support pages linked in the references above or via the Orbi mobile app's automatic update function. If immediate patching is not possible, a targeted compensating control is to restrict Wi-Fi access to trusted devices only using MAC address filtering or WPA3-Enterprise with certificate-based authentication, which limits the pool of adjacent-network attackers - note that MAC filtering alone is bypassable by spoofing and should not be treated as a security boundary. Network segmentation (placing the Orbi management interface on a VLAN inaccessible to untrusted clients) reduces exposure but does not eliminate it. Guest network isolation, if enabled, prevents guest-segment attackers from reaching the primary LAN-facing service.
Stack-based buffer overflow in multiple NETGEAR Orbi mesh WiFi models (RBR860, RBRE950/960, RBE970/971, RBS860, RBSE950/
Insufficient input validation across multiple NETGEAR Orbi mesh router models (RBR/RBS/RBE series) permits authenticated
Stack-based buffer overflow in NETGEAR Orbi mesh router firmware (RBE, RBR, RBS series) enables authenticated administra
Same weakness CWE-787 – Out-of-bounds Write
View allSame technique Memory Corruption
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35456
GHSA-r4pc-3chm-q76v