<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Tomato 1.28 RT-N5x MIPSR2 Build 124 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/tomato-1.28-rt-n5x-mipsr2-build-124/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sat, 18 Jul 2026 11:17:55 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/tomato-1.28-rt-n5x-mipsr2-build-124/feed.xml" rel="self" type="application/rss+xml"/><item><title>Shibby Tomato Router Firmware Out-of-Bounds Write Vulnerability (CVE-2026-16095)</title><link>https://feed.craftedsignal.io/briefs/2026-07-shibby-tomato-oob-write/</link><pubDate>Sat, 18 Jul 2026 11:17:55 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-shibby-tomato-oob-write/</guid><description>A remote out-of-bounds write vulnerability, CVE-2026-16095, affects Shibby Tomato firmware version 1.28 RT-N5x MIPSR2 Build 124, where manipulating the `ct_tcp_timeout` argument in the `setup_conntrack` function of `/sbin/rc` can lead to memory corruption, potentially allowing arbitrary code execution or denial of service.</description><content:encoded><![CDATA[<p>A critical out-of-bounds write vulnerability, identified as CVE-2026-16095, has been discovered in Shibby Tomato firmware version 1.28 RT-N5x MIPSR2 Build 124. This flaw resides within the <code>setup_conntrack</code> function of the <code>/sbin/rc</code> executable, which is responsible for connection tracking. Attackers can remotely exploit this vulnerability by manipulating the <code>ct_tcp_timeout</code> argument, leading to an out-of-bounds write. This memory corruption can result in system instability, denial of service, or potentially arbitrary code execution, granting an attacker full control over the affected router. The vulnerability is assigned a CVSS v3.1 base score of 8.8 (High) and affects a superseded project, as Shibby Tomato has been replaced by FreshTomato. Organizations still utilizing this legacy firmware version face significant risk.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a Shibby Tomato router running the vulnerable 1.28 RT-N5x MIPSR2 Build 124 firmware that is exposed and accessible on the network.</li>
<li>The attacker establishes a network connection to the vulnerable router, potentially requiring low-privileged access based on the CVSS score.</li>
<li>The attacker crafts a malicious network packet or request specifically designed to interact with the <code>setup_conntrack</code> function within the <code>/sbin/rc</code> file.</li>
<li>The malicious request includes a specially crafted value for the <code>ct_tcp_timeout</code> argument, designed to exceed expected buffer boundaries.</li>
<li>Upon processing this manipulated argument, the <code>setup_conntrack</code> function attempts to write data beyond its allocated memory buffer.</li>
<li>This out-of-bounds write operation corrupts adjacent memory, potentially overwriting critical data or code pointers within the router's operating system.</li>
<li>Depending on the specific memory corruption, this can lead to the router crashing (denial of service) or allow the attacker to execute arbitrary code with the privileges of the affected process, achieving full system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-16095 can lead to severe consequences for affected organizations. The primary observed impacts include denial of service, where the vulnerable router becomes unresponsive or reboots unexpectedly due to memory corruption. More critically, an attacker could achieve arbitrary code execution, enabling them to gain full control over the router. This level of compromise allows for network reconnaissance, manipulation of network traffic, establishment of persistent backdoors, or use of the router as a pivot point for further attacks into internal networks. The high CVSS score reflects the significant confidentiality, integrity, and availability impacts on the affected device.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately patch CVE-2026-16095 by updating Shibby Tomato firmware 1.28 RT-N5x MIPSR2 Build 124 to a version where this vulnerability is resolved, or migrate to FreshTomato if a direct patch is unavailable.</li>
<li>Implement network segmentation to restrict remote access to router administration interfaces.</li>
<li>Monitor network connection logs from router devices for unusual or malformed requests targeting device administration ports.</li>
<li>Deploy a firewall to filter or inspect network traffic for anomalies that might indicate attempts to manipulate connection tracking arguments.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>router</category><category>firmware</category><category>out-of-bounds-write</category><category>CVE-2026-16095</category></item></channel></rss>