CVE-2026-10124
Stack-Based Buffer Overflow in Shibby Tomato
Publication date: 2026-05-30
Last updated on: 2026-05-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shibby | tomato | to 1.28 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-119 | The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data. |
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10124 is a stack-based buffer overflow vulnerability found in the Shibby Tomato firmware version 1.28, specifically in the rip_zebra_read_ipv4 function of the /usr/sbin/ripd component (Zserv Handler).
The vulnerability occurs because the ripd daemon reads an attacker-controlled IPv4 prefix length (plen) without proper validation and uses it to calculate a byte count for copying data onto the stack. The destination buffer on the stack is too small and does not clamp the prefix length to a maximum of 32, allowing an attacker to overflow the buffer.
This overflow can overwrite saved registers and the return address, potentially leading to control-flow corruption and remote code execution.
The attack can be launched remotely, but the attack surface is limited to local privileged IPC boundaries or indirect administrative access in some configurations.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary code remotely by exploiting the stack-based buffer overflow in the ripd daemon.
Successful exploitation may lead to control-flow corruption, which can result in unauthorized access, privilege escalation, or denial of service due to crashes.
Since the affected products are no longer supported, patches or fixes may not be available, increasing the risk if the vulnerable firmware is still in use.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in the ripd daemon of Shibby Tomato firmware when processing zebra routing updates via the local Unix domain socket /tmp/.zserv.
Detection involves monitoring for crashes or abnormal behavior of the ripd process, especially when handling zebra routing updates.
Since the vulnerability is triggered by a crafted zserv frame with an invalid IPv4 prefix length (plen > 32), you can detect attempts by checking for unusual or malformed IPC messages to /tmp/.zserv.
- Use system logs or process monitoring tools to detect ripd crashes or restarts.
- Monitor the Unix domain socket /tmp/.zserv for unexpected or malformed packets.
- If you have access to the device, you might use debugging or tracing tools (e.g., strace) on ripd to observe abnormal input handling.
No specific commands are provided in the resources, but general commands to check ripd status and logs could include:
- ps aux | grep ripd
- journalctl -u ripd (if systemd is used)
- netstat -xl | grep /tmp/.zserv
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include rejecting IPv4 route messages with prefix length (plen) greater than 32 and validating the byte count against the destination buffer size.
Since the vulnerability is in an unsupported product (Shibby Tomato up to version 1.28), consider migrating to a supported fork such as FreshTomato.
Additional mitigations include:
- Avoid exposing the ripd daemon or the /tmp/.zserv socket to untrusted users or networks.
- Audit and restrict administrative access to prevent indirect exploitation.
- Apply any available patches or updates if provided by the community or maintainers.