Skip to main content

Tor CVE-2026-44599

| EUVDEUVD-2026-28238 LOW
Incorrect Resource Transfer Between Spheres (CWE-669)
2026-05-07 mitre GHSA-rprm-6mg6-r8fm
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
May 07, 2026 - 06:16 EUVD
Analysis Generated
May 07, 2026 - 03:15 vuln.today
CVE Published
May 07, 2026 - 02:11 nvd
LOW 3.7

DescriptionCVE.org

Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008.

AnalysisAI

Tor before version 0.4.9.7 can incorrectly attempt or accept BEGIN_DIR cells over conflux legs, a Tor relay multiplexing feature, enabling potential integrity violations in circuit construction. The vulnerability has a CVSS score of 3.7 (low severity) with impact limited to integrity rather than confidentiality or availability. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

This vulnerability involves Tor's conflux protocol implementation, which allows multiple relay legs to be aggregated into a single circuit for improved routing flexibility and performance. BEGIN_DIR is a Tor cell type used to establish directory connections over existing circuits. The underlying issue (CWE-669: Improper Resource Validation) indicates insufficient validation of which circuit types can legitimately carry BEGIN_DIR cells. Conflux legs are not designed to handle directory protocol streams, and accepting such cells over these specialized legs violates Tor's circuit state machine rules. The vulnerability affects all Tor versions prior to 0.4.9.7, as identified by the CPE string cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*.

RemediationAI

Upgrade Tor to version 0.4.9.7 or later. This is the primary fix provided by the Tor Project and fully resolves the vulnerability by preventing BEGIN_DIR cells from being accepted or processed over conflux legs. No workarounds are available for versions prior to 0.4.9.7. Users unable to upgrade immediately should temporarily disable conflux participation by reviewing relay configuration settings in torrc; however, this may impact performance and routing diversity, so upgrading is strongly preferred. Detailed upgrade instructions and release notes are available at https://forum.torproject.org/c/news/tor-release-announcement/28 and https://www.openwall.com/lists/oss-security/2026/05/06/8.

More in Tor

View all
CVE-2017-16541 MEDIUM POC
6.5 Nov 04

Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove

CVE-2021-38385 HIGH POC
7.5 Aug 30

Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s

CVE-2018-0491 HIGH POC
7.5 Mar 05

A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability

CVE-2023-23589 MEDIUM POC
6.5 Jan 14

The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th

CVE-2020-8516 MEDIUM POC
5.3 Feb 02

The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att

CVE-2017-8823 HIGH
8.1 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2016-1254 HIGH
7.5 Dec 05

Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic

CVE-2016-8860 HIGH
7.5 Jan 04

Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data

CVE-2017-0375 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r

CVE-2017-0376 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c

CVE-2017-8821 HIGH
7.5 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2017-0377 HIGH
7.5 Jul 02

Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family

Share

CVE-2026-44599 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy