Skip to main content

Tor CVE-2026-44600

| EUVDEUVD-2026-28237 LOW
Incorrect Behavior Order (CWE-696)
2026-05-07 mitre GHSA-7cv5-2ch3-g323
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
May 07, 2026 - 06:16 EUVD
Analysis Generated
May 07, 2026 - 03:15 vuln.today
CVE Published
May 07, 2026 - 02:20 nvd
LOW 3.7

DescriptionCVE.org

Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue.

AnalysisAI

Tor before version 0.4.9.7 mishandles memory accounting in the conflux out-of-order queue during queue clearing operations, leading to a denial-of-service condition through resource exhaustion. Unauthenticated remote attackers can exploit this via network-level packet manipulation to trigger improper queue state management, causing availability degradation on affected Tor relays and clients. The vulnerability has a low severity CVSS score (3.7) due to attack complexity and availability-only impact, with no confirmed active exploitation at time of analysis.

Technical ContextAI

Tor's conflux protocol implements out-of-order packet queue management to handle network packet reordering. The vulnerability exists in CWE-696 (Incorrect Behavior Order) - specifically, the accounting mechanism that tracks memory allocations for queued packets fails to properly decrement or validate queue state when clearing operations occur. This suggests a logic error in the queue lifecycle management where allocated memory is not correctly freed or accounted for during teardown, potentially leading to unbounded growth or exhaustion of memory resources dedicated to queue buffers. The conflux feature is part of Tor's relay and client communication stack, making all implementations potentially vulnerable if conflux is enabled.

RemediationAI

Upgrade Tor to version 0.4.9.7 or later. This version includes the upstream fix committed to the Tor repository (commit a198185ed863677d60eec120126730628dac35bb). Users running Tor relays or clients should apply this update as soon as possible via their package manager or by downloading directly from the Tor Project website (https://www.torproject.org/download/). If immediate patching is not feasible, operators may temporarily mitigate by disabling conflux protocol support via configuration settings if such options are available in their deployed version, though this may impact network performance and anonymity properties - consult Tor documentation for trade-offs. Monitor Tor relay logs for signs of memory exhaustion or repeated connection teardowns, which may indicate exploitation attempts.

More in Tor

View all
CVE-2017-16541 MEDIUM POC
6.5 Nov 04

Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove

CVE-2021-38385 HIGH POC
7.5 Aug 30

Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s

CVE-2018-0491 HIGH POC
7.5 Mar 05

A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability

CVE-2023-23589 MEDIUM POC
6.5 Jan 14

The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th

CVE-2020-8516 MEDIUM POC
5.3 Feb 02

The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att

CVE-2017-8823 HIGH
8.1 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2016-1254 HIGH
7.5 Dec 05

Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic

CVE-2016-8860 HIGH
7.5 Jan 04

Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data

CVE-2017-0375 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r

CVE-2017-0376 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c

CVE-2017-8821 HIGH
7.5 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2017-0377 HIGH
7.5 Jul 02

Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family

Share

CVE-2026-44600 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy