Skip to main content

Tor CVE-2026-44601

| EUVDEUVD-2026-28302 LOW
Improper Enforcement of a Single, Unique Action (CWE-837)
2026-05-07 mitre GHSA-fc55-xrcv-x657
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
May 07, 2026 - 06:16 EUVD
Analysis Generated
May 07, 2026 - 04:45 vuln.today
CVE Published
May 07, 2026 - 03:09 nvd
LOW 3.7

DescriptionCVE.org

Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.

AnalysisAI

Tor before version 0.4.9.7 can crash due to a double-close vulnerability in circuit handling when memory pressure conditions exist on the circuit queue, resulting in denial of service to affected clients. The vulnerability requires specific network conditions (high circuit queue load) to trigger but affects all Tor clients running vulnerable versions. A patch is available in Tor 0.4.9.7 and later.

Technical ContextAI

Tor is an anonymity network that routes traffic through encrypted circuits composed of multiple relays. The vulnerability resides in circuit lifecycle management code that handles memory pressure scenarios. CWE-837 represents an improper enforcement of behavioral workflow, specifically where the circuit close handler fails to properly track closure state, leading to a double-close condition when queue memory limits are exceeded. The affected code path is triggered during circuit cleanup when memory pressure forces the deallocation of queued circuit entries, and the buggy handler attempts to close an already-closed circuit resource, causing a crash in the Tor client process.

RemediationAI

Upgrade to Tor version 0.4.9.7 or later to obtain the vendor-released patch. Users should update via their Tor installation method (package manager for most Linux distributions, official Tor Browser updates, or manual compilation from source). Administrators managing Tor relays or clients should prioritize upgrades within two weeks of release availability. Until patching is possible, no effective workaround exists to prevent the double-close condition, as it is inherent to the circuit lifecycle code. However, the vulnerability only manifests under memory pressure on the circuit queue, so systems with ample available memory may experience crashes less frequently. For high-availability deployments, implementing process monitoring and automatic restart of crashed Tor instances can mitigate the denial-of-service impact while patches are prepared.

More in Tor

View all
CVE-2017-16541 MEDIUM POC
6.5 Nov 04

Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove

CVE-2021-38385 HIGH POC
7.5 Aug 30

Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s

CVE-2018-0491 HIGH POC
7.5 Mar 05

A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability

CVE-2023-23589 MEDIUM POC
6.5 Jan 14

The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th

CVE-2020-8516 MEDIUM POC
5.3 Feb 02

The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att

CVE-2017-8823 HIGH
8.1 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2016-1254 HIGH
7.5 Dec 05

Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic

CVE-2016-8860 HIGH
7.5 Jan 04

Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data

CVE-2017-0375 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r

CVE-2017-0376 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c

CVE-2017-8821 HIGH
7.5 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2017-0377 HIGH
7.5 Jul 02

Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family

Share

CVE-2026-44601 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy