CVE-2024-50996

Name of the Vulnerable Software and Affected Versions Netgear R8500 version 1.0.2.160 Netgear XR300 version 1.0.3.78 Netgear R7000P version 1.3.3.154 Netgear R6400 v2 version 1.0.4.128

Description The issue is related to a stack overflow vulnerability in the genie bpa.cgi script, specifically via the bpa server parameter. This allows attackers to cause a Denial of Service (DoS) via a crafted POST request to the /genie bpa.cgi endpoint. The vulnerability is due to a buffer copy without checking the size of the input data when handling the bpa server parameter.

Recommendations For Netgear R8500 version 1.0.2.160, update to a newer version that contains a fix for this issue. For Netgear XR300 version 1.0.3.78, update to a newer version that contains a fix for this issue. For Netgear R7000P version 1.3.3.154, update to a newer version that contains a fix for this issue. For Netgear R6400 v2 version 1.0.4.128, update to a newer version that contains a fix for this issue. As a temporary workaround, consider restricting access to the genie bpa.cgi script to minimize the risk of exploitation. Avoid using the bpa server parameter in the affected API endpoint until the issue is resolved.