CVE-2026-10124

Vulnerability

A stack-based buffer overflow exists in the function rip_zebra_read_ipv4 within the file /usr/sbin/ripd of Shibby Tomato firmware up to version 1.28. The vulnerability resides in the Zserv Handler component, which processes incoming routing protocol messages. The overflow occurs when handling specially crafted IPv4 data, leading to memory corruption. Affected versions include all releases up to and including 1.28. This project is superseded by FreshTomato and is no longer supported by the maintainer [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication. By sending a maliciously crafted packet to the RIP daemon (ripd), the attacker triggers a stack-based buffer overflow. The exploit has been publicly disclosed, providing a proof-of-concept that demonstrates the attack sequence [1]. No user interaction or special network position beyond reachability of the RIP service is needed.

Impact

Successful exploitation allows the attacker to achieve arbitrary code execution on the target device. Since ripd typically runs with root privileges, the attacker gains full control over the router, enabling data exfiltration, further network compromise, or persistent backdoor installation. The impact is critical for any organization still using the unsupported Shibby Tomato firmware.

Mitigation

No official patch is available from the maintainer, as Shibby Tomato is end-of-life and no longer supported. Users must upgrade to FreshTomato, the actively maintained fork, which is not affected by this vulnerability. There is no workaround that fully mitigates the risk while running the vulnerable firmware. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.