CVE-2026-16097
Received Received - Intake

Stack-Based Buffer Overflow in Shibby Tomato Scheduler

Vulnerability report for CVE-2026-16097, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-18

Last updated on: 2026-07-18

Assigner: VulDB

Description

A vulnerability was found in Shibby Tomato 1.28. This vulnerability affects the function sub_42537C of the component Scheduler Name Handler. The manipulation of the argument a1 results in stack-based buffer overflow. It is possible to launch the attack remotely. This project is superseded by FreshTomato.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-18
Last Modified
2026-07-18
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
shibby tomato 1.28

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-16097 is a stack-based buffer overflow and command injection vulnerability in Shibby Tomato firmware version 1.28. It affects the function sub_42537C in the Scheduler Name Handler component. The vulnerability occurs when user-controlled input (a1) is manipulated to overflow a 64-byte stack buffer, corrupting saved registers and potentially overwriting the return address. This can lead to crashes, denial of service, or arbitrary code execution. Additionally, shell metacharacters in the input could enable command injection.

Detection Guidance

Check for Tomato PL ND 1.28 beta firmware versions on MIPS32 little-endian systems. Inspect the `sbin/rc` component for the vulnerable `sub_42537C` function. Monitor for crashes in the scheduler or unusual command execution patterns. Look for inputs containing `sch_*` arguments with shell metacharacters like semicolons.

Impact Analysis

If exploited, this vulnerability could allow an attacker to execute arbitrary commands on the affected system, potentially leading to full system compromise. An attacker could crash the device, disrupt services, or gain unauthorized access. The impact depends on the attacker's access level: remote or authenticated access increases severity, while local or CLI exploitation may limit the attack scope.

Compliance Impact

This vulnerability, a stack-based buffer overflow and potential command injection in Shibby Tomato firmware, could lead to unauthorized code execution or data exfiltration if exploited. Such breaches may violate GDPR's integrity and confidentiality requirements or HIPAA's safeguards for protected health information, depending on the system's use case. Unauthorized access could result in data loss or corruption, impacting compliance.

Mitigation Strategies

Upgrade to FreshTomato firmware which supersedes Shibby Tomato. Disable remote or unauthenticated access to scheduler functions. Implement input validation for scheduler names to prevent buffer overflows and command injection. Monitor logs for suspicious scheduler-related activities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16097. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart