{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-16095/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-16095"},{"cvss":8.8,"id":"CVE-2026-16096"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Tomato 1.28 RT-N5x MIPSR2 Build 124"],"_cs_severities":["high"],"_cs_tags":["vulnerability","router","firmware","out-of-bounds-write","CVE-2026-16095"],"_cs_type":"advisory","_cs_vendors":["Shibby"],"content_html":"\u003cp\u003eA critical out-of-bounds write vulnerability, identified as CVE-2026-16095, has been discovered in Shibby Tomato firmware version 1.28 RT-N5x MIPSR2 Build 124. This flaw resides within the \u003ccode\u003esetup_conntrack\u003c/code\u003e function of the \u003ccode\u003e/sbin/rc\u003c/code\u003e executable, which is responsible for connection tracking. Attackers can remotely exploit this vulnerability by manipulating the \u003ccode\u003ect_tcp_timeout\u003c/code\u003e argument, leading to an out-of-bounds write. This memory corruption can result in system instability, denial of service, or potentially arbitrary code execution, granting an attacker full control over the affected router. The vulnerability is assigned a CVSS v3.1 base score of 8.8 (High) and affects a superseded project, as Shibby Tomato has been replaced by FreshTomato. Organizations still utilizing this legacy firmware version face significant risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a Shibby Tomato router running the vulnerable 1.28 RT-N5x MIPSR2 Build 124 firmware that is exposed and accessible on the network.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes a network connection to the vulnerable router, potentially requiring low-privileged access based on the CVSS score.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious network packet or request specifically designed to interact with the \u003ccode\u003esetup_conntrack\u003c/code\u003e function within the \u003ccode\u003e/sbin/rc\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a specially crafted value for the \u003ccode\u003ect_tcp_timeout\u003c/code\u003e argument, designed to exceed expected buffer boundaries.\u003c/li\u003e\n\u003cli\u003eUpon processing this manipulated argument, the \u003ccode\u003esetup_conntrack\u003c/code\u003e function attempts to write data beyond its allocated memory buffer.\u003c/li\u003e\n\u003cli\u003eThis out-of-bounds write operation corrupts adjacent memory, potentially overwriting critical data or code pointers within the router's operating system.\u003c/li\u003e\n\u003cli\u003eDepending on the specific memory corruption, this can lead to the router crashing (denial of service) or allow the attacker to execute arbitrary code with the privileges of the affected process, achieving full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-16095 can lead to severe consequences for affected organizations. The primary observed impacts include denial of service, where the vulnerable router becomes unresponsive or reboots unexpectedly due to memory corruption. More critically, an attacker could achieve arbitrary code execution, enabling them to gain full control over the router. This level of compromise allows for network reconnaissance, manipulation of network traffic, establishment of persistent backdoors, or use of the router as a pivot point for further attacks into internal networks. The high CVSS score reflects the significant confidentiality, integrity, and availability impacts on the affected device.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch CVE-2026-16095 by updating Shibby Tomato firmware 1.28 RT-N5x MIPSR2 Build 124 to a version where this vulnerability is resolved, or migrate to FreshTomato if a direct patch is unavailable.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to restrict remote access to router administration interfaces.\u003c/li\u003e\n\u003cli\u003eMonitor network connection logs from router devices for unusual or malformed requests targeting device administration ports.\u003c/li\u003e\n\u003cli\u003eDeploy a firewall to filter or inspect network traffic for anomalies that might indicate attempts to manipulate connection tracking arguments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-18T12:18:06Z","date_published":"2026-07-18T11:17:55Z","id":"https://feed.craftedsignal.io/briefs/2026-07-shibby-tomato-oob-write/","summary":"A remote out-of-bounds write vulnerability, CVE-2026-16095, affects Shibby Tomato firmware version 1.28 RT-N5x MIPSR2 Build 124, where manipulating the `ct_tcp_timeout` argument in the `setup_conntrack` function of `/sbin/rc` can lead to memory corruption, potentially allowing arbitrary code execution or denial of service.","title":"Shibby Tomato Router Firmware Out-of-Bounds Write Vulnerability (CVE-2026-16095)","url":"https://feed.craftedsignal.io/briefs/2026-07-shibby-tomato-oob-write/"}],"language":"en","title":"CraftedSignal Threat Feed - CVE-2026-16095","version":"https://jsonfeed.org/version/1.1"}