CVE-2026-16096
Received Received - Intake

Stack-Based Buffer Overflow in Shibby Tomato Firmware

Vulnerability report for CVE-2026-16096, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A vulnerability has been found in Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. This affects the function sub_40BB50 of the file /proc/webmon_recent_domains. The manipulation leads to stack-based buffer overflow. It is possible to initiate the attack remotely. This project is superseded by FreshTomato.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
shibby tomato to 1.28 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16096 is a stack-based buffer overflow in Shibby Tomato firmware version 1.28 RT-N5x MIPSR2 Build 124. The flaw exists in the function sub_40BB50 which processes data from /proc/webmon_recent_domains. When parsing web monitor records, the function uses sscanf without proper field-width limits, allowing long domain or search tokens to overwrite stack memory. This can cause data corruption or denial of service when an authenticated administrator accesses the web monitor page.

Detection Guidance

Check if Tomato firmware version 1.28 RT-N5x MIPSR2 build 124 is running. Inspect /proc/webmon_recent_domains and /proc/webmon_recent_searches for unusually long entries. Monitor httpd logs for crashes or errors during web monitor page access.

Impact Analysis

This vulnerability could allow an authenticated remote attacker to cause a denial of service by crashing the device or corrupting data. Since exploitation requires web monitoring to be enabled and an attacker needs administrative access, the immediate impact is limited to systems with this feature active. However, it may enable further attacks if combined with other vulnerabilities.

Compliance Impact

This vulnerability could potentially impact compliance with GDPR and HIPAA by enabling unauthorized access or data corruption if exploited. A stack-based buffer overflow may allow attackers to manipulate data or cause denial of service, which could lead to unauthorized disclosure of sensitive information or disruption of services. Compliance may be affected if the vulnerability results in unauthorized access to personal or health data.

Mitigation Strategies

Upgrade to FreshTomato firmware immediately. Disable web monitoring if enabled. Restrict access to the web interface to trusted networks only. Monitor system logs for signs of exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16096. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart