CVE-2026-16095
Shibby · Tomato
An out-of-bounds write flaw in the setup_conntrack function of Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124 allows unauthenticated remote attackers to trigger memory corruption.
Executive summary
An unauthenticated out-of-bounds write vulnerability in Shibby Tomato 1.28 poses a high risk of remote memory corruption and system compromise.
Vulnerability
This flaw involves an out-of-bounds write in the setup_conntrack function of the /sbin/rc binary. An unauthenticated attacker can trigger this by manipulating the ct_tcp_timeout argument.
Business impact
The CVSS score of 8.8 reflects the high risk posed by this vulnerability, particularly because it does not require authentication. Successful exploitation allows for memory corruption, which can lead to complete device compromise or persistent denial of service, impacting the availability of the network.
Remediation
Immediate Action: Cease use of the unmaintained Shibby Tomato firmware and migrate all affected hardware to FreshTomato.
Proactive Monitoring: Monitor network traffic for malformed TCP packets or unusual interactions with connection tracking parameters.
Compensating Controls: Deploy a WAF or an Intrusion Prevention System (IPS) to filter malicious packets directed at the router management interface.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The abandonment of the Shibby Tomato project means that this vulnerability will not be patched by the original developers. Immediate migration to FreshTomato is the only viable path to secure your infrastructure against this critical risk.