CVE-2026-10069
Resource Exhaustion in Shibby Tomato miniupnpd
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shibby | tomato | 1.28 |
| freshtomato | tomato | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-404 | The product does not release or incorrectly releases a resource before it is made available for re-use. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10069 is a resource exhaustion vulnerability in the miniupnpd component of Shibby Tomato firmware version 1.28. An unauthenticated attacker on the local network can send specially crafted HTTP requests that cause the miniupnpd daemon to consume excessive memory.
The vulnerability arises because the daemon buffers attacker-controlled request data in a heap-backed buffer and repeatedly extends it using realloc() without enforcing any maximum request size. This can be triggered by sending incomplete HTTP headers or oversized POST requests with large Content-Length headers but only partial request bodies.
As a result, the miniupnpd process experiences uncontrolled memory growth, leading to denial of service or service degradation.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker on your local network to cause denial of service or degrade the performance of your device running Shibby Tomato 1.28 firmware.
Specifically, the attacker can exhaust system memory by sending crafted HTTP requests to the miniupnpd daemon, which may cause the device to become unresponsive or unstable.
However, the attack requires local network access and does not lead to remote code execution or memory corruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual memory consumption by the miniupnpd daemon on devices running Shibby Tomato 1.28 firmware. Since the attack involves sending specially crafted HTTP requests with incomplete headers or oversized Content-Length values, network traffic analysis tools can be used to identify such suspicious requests on the local network.
Commands to help detect this vulnerability include checking the memory usage of the miniupnpd process and capturing network traffic for abnormal HTTP requests:
- Use `top` or `ps` commands to monitor miniupnpd memory usage, e.g., `top -p $(pidof miniupnpd)` or `ps aux | grep miniupnpd`.
- Capture and analyze network traffic on the LAN interface with tools like tcpdump or Wireshark to look for incomplete HTTP headers or large Content-Length headers without corresponding body size, e.g., `tcpdump -i eth0 port 1900` (UPnP typically uses port 1900).
- Use custom scripts or intrusion detection systems (IDS) to detect HTTP requests missing terminating `\r\n\r\n` sequences or with suspiciously large Content-Length headers.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling UPnP on affected devices if it is not required, as the vulnerability is exploitable only when UPnP is enabled and accessible on the local network.
If disabling UPnP is not possible, monitor and restrict access to the UPnP HTTP control interface to trusted devices only.
Apply network-level controls such as firewall rules to limit or block suspicious HTTP requests with incomplete headers or abnormally large Content-Length headers.
Since the affected firmware (Shibby Tomato 1.28) is no longer supported and has been superseded by FreshTomato, consider upgrading to a supported firmware version that does not contain this vulnerability.