Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka TROVE-2026-009.
AnalysisAI
Tor before version 0.4.9.7 can crash due to a double-close vulnerability in circuit handling when memory pressure conditions exist on the circuit queue, resulting in denial of service to affected clients. The vulnerability requires specific network conditions (high circuit queue load) to trigger but affects all Tor clients running vulnerable versions. A patch is available in Tor 0.4.9.7 and later.
Technical ContextAI
Tor is an anonymity network that routes traffic through encrypted circuits composed of multiple relays. The vulnerability resides in circuit lifecycle management code that handles memory pressure scenarios. CWE-837 represents an improper enforcement of behavioral workflow, specifically where the circuit close handler fails to properly track closure state, leading to a double-close condition when queue memory limits are exceeded. The affected code path is triggered during circuit cleanup when memory pressure forces the deallocation of queued circuit entries, and the buggy handler attempts to close an already-closed circuit resource, causing a crash in the Tor client process.
RemediationAI
Upgrade to Tor version 0.4.9.7 or later to obtain the vendor-released patch. Users should update via their Tor installation method (package manager for most Linux distributions, official Tor Browser updates, or manual compilation from source). Administrators managing Tor relays or clients should prioritize upgrades within two weeks of release availability. Until patching is possible, no effective workaround exists to prevent the double-close condition, as it is inherent to the circuit lifecycle code. However, the vulnerability only manifests under memory pressure on the circuit queue, so systems with ample available memory may experience crashes less frequently. For high-availability deployments, implementing process monitoring and automatic restart of crashed Tor instances can mitigate the denial-of-service impact while patches are prepared.
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove
Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s
A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability
The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th
The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef
Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic
Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef
Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28302
GHSA-fc55-xrcv-x657