Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008.
AnalysisAI
Tor before version 0.4.9.7 can incorrectly attempt or accept BEGIN_DIR cells over conflux legs, a Tor relay multiplexing feature, enabling potential integrity violations in circuit construction. The vulnerability has a CVSS score of 3.7 (low severity) with impact limited to integrity rather than confidentiality or availability. No public exploit code or active exploitation has been identified at the time of analysis.
Technical ContextAI
This vulnerability involves Tor's conflux protocol implementation, which allows multiple relay legs to be aggregated into a single circuit for improved routing flexibility and performance. BEGIN_DIR is a Tor cell type used to establish directory connections over existing circuits. The underlying issue (CWE-669: Improper Resource Validation) indicates insufficient validation of which circuit types can legitimately carry BEGIN_DIR cells. Conflux legs are not designed to handle directory protocol streams, and accepting such cells over these specialized legs violates Tor's circuit state machine rules. The vulnerability affects all Tor versions prior to 0.4.9.7, as identified by the CPE string cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*.
RemediationAI
Upgrade Tor to version 0.4.9.7 or later. This is the primary fix provided by the Tor Project and fully resolves the vulnerability by preventing BEGIN_DIR cells from being accepted or processed over conflux legs. No workarounds are available for versions prior to 0.4.9.7. Users unable to upgrade immediately should temporarily disable conflux participation by reviewing relay configuration settings in torrc; however, this may impact performance and routing diversity, so upgrading is strongly preferred. Detailed upgrade instructions and release notes are available at https://forum.torproject.org/c/news/tor-release-announcement/28 and https://www.openwall.com/lists/oss-security/2026/05/06/8.
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove
Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s
A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability
The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th
The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef
Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic
Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef
Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28238
GHSA-rprm-6mg6-r8fm