CVE-2026-10124: Shibby Tomato Stack Buffer Overflow in RIP Daemon
A stack-based buffer overflow has been discovered in Shibby Tomato, a Linux router distribution, affecting versions up to 1.28. The vulnerability exists in the RIP (Routing Information Protocol) daemon's IPv4 handling function and allows authenticated attackers to overflow memory on the system stack, potentially leading to code execution. The flaw has been publicly disclosed, and exploit code is available. Critically, Shibby Tomato is no longer maintained by its original developers, having been superseded by FreshTomato. This means no security patches will be released for affected installations.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-119, CWE-121
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
A vulnerability was determined in Shibby Tomato up to 1.28. Affected is the function rip_zebra_read_ipv4 of the file /usr/sbin/ripd of the component Zserv Handler. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-10124 is a stack-based buffer overflow in the rip_zebra_read_ipv4 function within /usr/sbin/ripd, the RIP daemon handler component of Shibby Tomato. The vulnerability stems from improper bounds checking when processing IPv4 routing information (CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer; CWE-121: Stack-based Buffer Overflow). An authenticated remote attacker can craft malicious RIP protocol packets to trigger the overflow, corrupting the stack and potentially hijacking program execution. The CVSS 3.1 score of 8.8 (HIGH) reflects the combination of network accessibility, low attack complexity, and high impact across confidentiality, integrity, and availability.
Business impact
Organizations relying on Shibby Tomato-based router deployments face significant operational risk. Compromised routers can be leveraged for lateral network movement, data exfiltration, man-in-the-middle attacks, or complete network infrastructure takeover. The lack of vendor support eliminates the possibility of official patches, leaving affected deployments perpetually exposed. Teams must decide between accepting risk, decommissioning affected hardware, or migrating to actively maintained alternatives like FreshTomato—each option carrying operational and financial implications.
Affected systems
Shibby Tomato versions up to and including 1.28 are affected. The project is no longer maintained and has been superseded by FreshTomato. Any production or semi-production deployments of Shibby Tomato remain vulnerable. This typically affects custom-compiled router distributions and specialized embedded Linux appliances rather than mainstream commercial products, but legacy deployments in enterprises, small businesses, and technical environments may still run affected versions.
Exploitability
The vulnerability is remotely exploitable over the network (no local access required) by an authenticated attacker. Attack complexity is low, meaning standard RIP protocol knowledge is sufficient to craft a malicious packet. Public disclosure and available exploit code lower the barrier to weaponization. However, the authentication requirement provides a partial control: the attacker must either be on the local network segment where RIP is operational or possess valid credentials to trigger the RIP daemon. In many deployments, RIP daemons listen only on internal interfaces, restricting the practical attack surface.
Remediation
No official patch exists for Shibby Tomato, as the project is unmaintained. Organizations have three primary remediation paths: (1) Migrate to FreshTomato, the actively maintained successor, which addresses this vulnerability; (2) Disable or restrict RIP daemon functionality if it is not essential to network operations; (3) Implement network segmentation and access controls to limit who can reach the RIP daemon (e.g., restrict RIP to trusted internal subnets). For environments where migration is not immediately feasible, a combination of network isolation and monitoring is essential.
Patch guidance
No patch is available from the Shibby Tomato project. FreshTomato, the successor project, has incorporated security improvements and should be verified as the authoritative upgrade path. Verify FreshTomato's advisory documentation to confirm this specific CVE is addressed in available versions before deployment. If patching is not feasible in your environment, prioritize network hardening: restrict RIP protocol traffic to trusted sources, disable RIP if unused, and consider blocking UDP port 520 (RIP) at network boundaries.
Detection guidance
Monitor network traffic for suspicious RIP protocol activity, particularly packets with unusual payload sizes or malformed IPv4 route entries that might indicate exploitation attempts. Log access to /usr/sbin/ripd and monitor for unexpected process crashes or restarts of the RIP daemon, which may indicate failed or successful exploitation. Deploy IDS/IPS signatures to detect RIP buffer overflow attack patterns. On affected systems, enable core dumps and analyze any crash events for evidence of stack corruption or return address manipulation. Inventory systems running Shibby Tomato and confirm their version and operational status.
Why prioritize this
This vulnerability merits high priority despite the unmaintained status of the affected software for several reasons: (1) CVSS score of 8.8 reflects significant impact potential; (2) Remote exploitability with low complexity; (3) Public disclosure and available exploits mean attackers have working tools; (4) Absence of vendor support means the window for remediation is open-ended. Organizations operating Shibby Tomato systems should treat this as urgent, even if migration planning is necessary.
Risk score, explained
The CVSS 3.1 score of 8.8 reflects a HIGH-severity vulnerability with network attack vector, low attack complexity, and requirement for low-privilege authentication. The confidentiality, integrity, and availability impacts are all rated HIGH, indicating that successful exploitation could result in unauthorized information access, system modification, and service disruption. The combination of remote accessibility and code-execution potential, offset only by the authentication barrier, produces a score that warrants rapid response in any security program.
Frequently asked questions
Is FreshTomato a drop-in replacement for Shibby Tomato?
FreshTomato is the maintained successor to Shibby Tomato and shares much of the same codebase and interface. However, deployment requirements and configuration workflows may differ slightly. Test FreshTomato in a non-production environment first to validate compatibility with your specific router hardware and network topology before migration.
Can I simply disable RIP to eliminate this risk?
Yes. If your network does not rely on RIP for dynamic routing, disabling the RIP daemon entirely will prevent exploitation of this vulnerability. Most modern networks use OSPF or BGP. If you are uncertain whether RIP is in use, consult your network documentation and test disabling it in a controlled manner. Confirm that disabling RIP does not break any critical routing dependencies before applying broadly.
What if our Shibby Tomato deployment is air-gapped or internal-only?
Air-gapped networks reduce but do not eliminate risk if an insider or compromised internal system can access the RIP daemon. Additionally, supply-chain or other incidents can introduce connectivity unexpectedly. Even in internal deployments, treating this as a medium-term remediation item ensures you are not caught off-guard if the network topology changes or if the system is ever connected to untrusted networks.
Does this vulnerability affect FreshTomato?
FreshTomato is the actively maintained successor and has incorporated security improvements over Shibby Tomato. Refer to FreshTomato's official security advisories and release notes to confirm that this specific CVE has been addressed in the versions available for your hardware platform. This is a strong incentive for migration.
This analysis is provided for informational purposes and reflects the vulnerability details and status as of the publication date. Shibby Tomato is no longer maintained by its original developers. Organizations should verify all remediation steps, patch availability, and FreshTomato compatibility against vendor advisories and their own test environments before deploying changes to production systems. The absence of official patches does not eliminate the risk; proactive network segmentation and access controls remain essential interim measures. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10062HIGHTRENDnet TEW-432BRP Stack Overflow – EOL Hardware Risk
- CVE-2026-10063HIGHTRENDnet TEW-432BRP Stack Overflow – End-of-Life Router Vulnerability
- CVE-2026-10065HIGHShibby Tomato 1.28 Stack Buffer Overflow in tomatodata.cgi
- CVE-2026-10066HIGHShibby Tomato Stack Buffer Overflow in UPS Service (RCE)
- CVE-2026-10067HIGHShibby Tomato 1.28 Stack Buffer Overflow in multimon.cgi
- CVE-2026-10119HIGHStack Overflow in TRENDnet TEW-432BRP End-of-Life Router
- CVE-2026-10120HIGHTRENDnet TEW-432BRP Buffer Overflow – No Patch Available
- CVE-2026-10121HIGHTRENDnet TEW-432BRP Stack Buffer Overflow