CVE-2026-10069

Vulnerability

A resource consumption vulnerability exists in Shibby Tomato firmware version 1.28, specifically in the usr/sbin/miniupnpd binary. The unknown function within this component does not properly control the buffering of HTTP requests, allowing an attacker to exhaust system resources. This version is the last release of the Shibby Tomato project, which is superseded by FreshTomato and no longer supported [1].

Exploitation

The attack can be launched remotely without authentication. An attacker sends specially crafted HTTP requests to the UPnP service, causing the device to allocate excessive memory or CPU resources. The specific sequence of requests required to trigger the resource exhaustion is not detailed in the available reference, but the issue is classified as an uncontrolled resource consumption in HTTP request buffering [1].

Impact

Successful exploitation leads to uncontrolled resource consumption, resulting in a denial of service (DoS). The target device may become unresponsive or crash, impacting network availability. Since the attack is remote and requires no authentication, any affected device exposed to the network is at risk [1].

Mitigation

The Shibby Tomato 1.28 firmware is end-of-life (EOL) and no longer supported by its maintainer. No official patch will be released. Users are strongly advised to upgrade to a supported fork such as FreshTomato. No workaround is provided in the reference [1].