Skip to main content

Tor EUVDEUVD-2026-28231

| CVE-2026-44597 LOW
Incorrect Provision of Specified Functionality (CWE-684)
2026-05-07 mitre GHSA-94jg-w625-jq92
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

5
Patch available
May 07, 2026 - 06:16 EUVD
Analysis Generated
May 07, 2026 - 03:45 vuln.today
CVSS changed
May 07, 2026 - 02:34 NVD
3.7 (LOW)
CVE Published
May 07, 2026 - 00:56 nvd
UNKNOWN (no severity yet)
CVE Published
May 07, 2026 - 00:56 nvd
LOW 3.7

DescriptionCVE.org

Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.

AnalysisAI

Out-of-bounds read in Tor before version 0.4.9.7 occurs when END, TRUNCATE, or TRUNCATED cells lack a reason field in their payload, allowing remote unauthenticated attackers to trigger a denial of service condition. The vulnerability requires high attack complexity and results in availability impact only. CVSS score is 3.7 with no active exploitation (KEV) or public exploit code confirmed at time of analysis.

Technical ContextAI

Tor is a decentralized anonymity network using relay cells to transmit data between nodes. END, TRUNCATE, and TRUNCATED cells are control protocol messages exchanged during circuit closure or error handling. The vulnerability exists in the cell parsing logic where the code attempts to read a 'reason' field from the cell payload without proper bounds checking when this field is absent or malformed. This is classified as CWE-684 (Incorrect Provision of Specified Functionality), indicating a missing or incomplete validation mechanism in the cell deserialization routine. The out-of-bounds read occurs when the parser attempts to access memory beyond the valid cell payload boundary.

RemediationAI

Upgrade Tor to version 0.4.9.7 or later immediately. This is the vendor-released patch that resolves the out-of-bounds read by adding proper bounds validation when parsing cell payloads. Users running Tor relay nodes or clients should update via their package manager or download directly from the Tor Project website (https://www.torproject.org/download/). No workarounds are available for unpatched versions; the only mitigation is patching. Side effect of updating: brief service restart may be required depending on deployment context, but no breaking changes are expected.

More in Tor

View all
CVE-2017-16541 MEDIUM POC
6.5 Nov 04

Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove

CVE-2021-38385 HIGH POC
7.5 Aug 30

Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s

CVE-2018-0491 HIGH POC
7.5 Mar 05

A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability

CVE-2023-23589 MEDIUM POC
6.5 Jan 14

The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th

CVE-2020-8516 MEDIUM POC
5.3 Feb 02

The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att

CVE-2017-8823 HIGH
8.1 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2016-1254 HIGH
7.5 Dec 05

Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic

CVE-2016-8860 HIGH
7.5 Jan 04

Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data

CVE-2017-0375 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r

CVE-2017-0376 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c

CVE-2017-8821 HIGH
7.5 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2017-0377 HIGH
7.5 Jul 02

Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family

Share

EUVD-2026-28231 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy