Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.
AnalysisAI
Out-of-bounds read by one byte in Tor before version 0.4.9.7 when processing malformed BEGIN cells allows remote unauthenticated attackers to cause a denial of service through information disclosure. The vulnerability has a low CVSS impact score (3.7) due to high attack complexity and limited availability impact, though the exact exploitation mechanics require Tor relay configuration and a specially crafted cell.
Technical ContextAI
Tor is an anonymization network that routes traffic through multiple relays using a cell-based protocol. The vulnerability exists in the BEGIN cell handler, which is part of Tor's circuit building protocol. A BEGIN cell initiates a new stream over an existing circuit. The out-of-bounds read (CWE-193: Off-by-one error) occurs when parsing a malformed BEGIN cell, allowing an attacker to read one byte of memory beyond the intended buffer boundary. This memory access violation could leak sensitive information from the Tor process memory or trigger an availability disruption depending on the memory region accessed.
RemediationAI
Upgrade Tor to version 0.4.9.7 or later immediately. This fix is available via the official Tor Project release channels at https://forum.torproject.org/c/news/tor-release-announcement/28. Users should run 'tor --version' to check their current version and update through their operating system package manager (apt, yum, brew, etc.) or by downloading the latest stable release from torproject.org. For users unable to patch immediately, restrict inbound connections to Tor relays to trusted sources if operating a relay; however, this is not a true workaround since Tor's design requires accepting connections from unknown peers. The recommended approach is prompt patching, as the fix has been available upstream and integrated into the stable release cycle.
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove
Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s
A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability
The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th
The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef
Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic
Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef
Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family
Same weakness CWE-193 – Off-by-one Error
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28306
GHSA-m47q-4224-6rvc