Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.
AnalysisAI
Tor before version 0.4.9.7 crashes due to a NULL pointer dereference when CERT cells are received out of order, causing denial of service against relay nodes and clients. Remote unauthenticated attackers on the network can trigger this crash by sending malformed cell sequences, disabling affected Tor instances. No active exploitation confirmed, but the vulnerability affects core protocol handling in all affected versions.
Technical ContextAI
Tor is an anonymous communication network that relies on a series of relays to route traffic. The protocol uses CERT cells as part of the TLS handshake and connection establishment process to exchange X.509 certificates between nodes. The vulnerability exists in the cell processing logic that handles CERT cells - a NULL pointer dereference in CWE-476 - which occurs when CERT cells arrive in an unexpected order relative to other cell types during connection setup. The affected CPE cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:* indicates all Tor versions before 0.4.9.7 are vulnerable. This is a protocol-level parsing flaw in how the Tor daemon processes incoming cell sequences.
RemediationAI
Upgrade Tor to version 0.4.9.7 or later immediately. The patch is vendor-released in Tor 0.4.9.7 as confirmed by the project's GitLab commit history. No workarounds are available because the flaw exists in core protocol parsing; however, operators can temporarily mitigate by restricting inbound Tor protocol connections to known, trusted relay addresses via firewall rules, though this breaks Tor's distributed architecture and is not recommended for long-term deployments. The primary fix is a straightforward upgrade with no known side effects or breaking changes in 0.4.9.7. Consult https://www.torproject.org for release notes and upgrade instructions specific to your distribution or installation method.
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove
Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s
A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability
The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th
The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef
Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic
Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef
Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28304
GHSA-323g-q36v-hmmc