CVE-2026-10124: Shibby Tomato Zserv ripd rip_zebra_read_ipv4 stack-based overflow
A vulnerability was determined in Shibby Tomato up to 1.28. Affected is the function rip_zebra_read_ipv4 of the file /usr/sbin/ripd of the component Zserv Handler. Executing a manipulation can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato. This vulnerability only affects products that are no longer supported by the maintainer.
HarborGuard Analysis
HarborGuard analysisSynopsis
A stack-based buffer overflow in the rip_zebra_read_ipv4 function of ripd in Shibby Tomato (up to 1.28). The bug is reachable over the network and requires only low-privilege credentials, with no victim interaction needed; successful exploitation corrupts the stack of the ripd routing daemon and yields full compromise of confidentiality, integrity, and availability on the affected device. No upstream fix is published - Shibby Tomato is end-of-life and superseded by FreshTomato - so HarborGuard tracks the advisory for any future patch availability.
HarborGuard Coverage
Detection is available across every HarborGuard environment - CVE-2026-10124 is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle Shibby Tomato or its ripd binary.
AvailableTriage is available with the published CVSS v4.0 base score of 8.7 (HIGH) weighted against each customer's compliance policy, then routed to the appropriate inbox inside each customer organization.
AvailableBecause the upstream project is abandoned and no fix version exists, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available immediately if FreshTomato or another downstream publishes a fix; in the meantime, the finding stays open with compensating-control guidance attached.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the ripd Zserv handler over the network (AV:N).
- AuthenticationRequired
PR:L - any low-privilege account or routing-protocol peer relationship with the device is sufficient.
- Victim interactionNot required
UI:N - no user action on the target is needed to trigger the overflow.
- Attack complexityDetail
AC:L - the exploit is reliable and has no special environmental preconditions, and a public PoC has been disclosed.
Blast Radius
- Corrupts the ripd process stack, enabling arbitrary code execution in the routing daemon's context.
- Reads any data accessible to ripd, including routing tables and adjacent in-memory secrets (VC:H).
- Modifies routing state and on-device configuration, allowing traffic redirection or blackholing (VI:H).
- Crashes or hangs the ripd service, disrupting dynamic routing on the device (VA:H).
How HarborGuard Handles This
Available on HarborGuard: continuous monitoring of the CVE-2026-10124 advisory for any downstream fix (Shibby Tomato itself is unmaintained and superseded by FreshTomato), with the finding surfaced in each affected environment alongside compensating-control suggestions - restrict ripd/Zserv exposure with network policy so only trusted routing peers can reach it, filter egress from devices running the affected binary, and consider migrating to FreshTomato or a maintained routing stack. The moment an upstream patch lands, a rebuilt image becomes available on HarborGuard, and environments with auto-remediation enabled get the rebuild, regression run, and a PR opened against affected workloads automatically.
Metrics
- CVSS v4.0
- 8.7
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
- Shibby / Tomato1.0 · 1.1 · 1.2 · 1.3 · 1.4 · 1.5
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P