Skip to main content

Tor CVE-2026-44602

| EUVDEUVD-2026-28304 LOW
NULL Pointer Dereference (CWE-476)
2026-05-07 mitre GHSA-323g-q36v-hmmc
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
May 07, 2026 - 06:16 EUVD
Analysis Generated
May 07, 2026 - 04:45 vuln.today
CVE Published
May 07, 2026 - 03:17 nvd
LOW 3.7

DescriptionCVE.org

Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.

AnalysisAI

Tor before version 0.4.9.7 crashes due to a NULL pointer dereference when CERT cells are received out of order, causing denial of service against relay nodes and clients. Remote unauthenticated attackers on the network can trigger this crash by sending malformed cell sequences, disabling affected Tor instances. No active exploitation confirmed, but the vulnerability affects core protocol handling in all affected versions.

Technical ContextAI

Tor is an anonymous communication network that relies on a series of relays to route traffic. The protocol uses CERT cells as part of the TLS handshake and connection establishment process to exchange X.509 certificates between nodes. The vulnerability exists in the cell processing logic that handles CERT cells - a NULL pointer dereference in CWE-476 - which occurs when CERT cells arrive in an unexpected order relative to other cell types during connection setup. The affected CPE cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:* indicates all Tor versions before 0.4.9.7 are vulnerable. This is a protocol-level parsing flaw in how the Tor daemon processes incoming cell sequences.

RemediationAI

Upgrade Tor to version 0.4.9.7 or later immediately. The patch is vendor-released in Tor 0.4.9.7 as confirmed by the project's GitLab commit history. No workarounds are available because the flaw exists in core protocol parsing; however, operators can temporarily mitigate by restricting inbound Tor protocol connections to known, trusted relay addresses via firewall rules, though this breaks Tor's distributed architecture and is not recommended for long-term deployments. The primary fix is a straightforward upgrade with no known side effects or breaking changes in 0.4.9.7. Consult https://www.torproject.org for release notes and upgrade instructions specific to your distribution or installation method.

More in Tor

View all
CVE-2017-16541 MEDIUM POC
6.5 Nov 04

Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove

CVE-2021-38385 HIGH POC
7.5 Aug 30

Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s

CVE-2018-0491 HIGH POC
7.5 Mar 05

A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability

CVE-2023-23589 MEDIUM POC
6.5 Jan 14

The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th

CVE-2020-8516 MEDIUM POC
5.3 Feb 02

The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att

CVE-2017-8823 HIGH
8.1 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2016-1254 HIGH
7.5 Dec 05

Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic

CVE-2016-8860 HIGH
7.5 Jan 04

Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data

CVE-2017-0375 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r

CVE-2017-0376 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c

CVE-2017-8821 HIGH
7.5 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2017-0377 HIGH
7.5 Jul 02

Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family

Share

CVE-2026-44602 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy