Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue.
AnalysisAI
Tor before version 0.4.9.7 mishandles memory accounting in the conflux out-of-order queue during queue clearing operations, leading to a denial-of-service condition through resource exhaustion. Unauthenticated remote attackers can exploit this via network-level packet manipulation to trigger improper queue state management, causing availability degradation on affected Tor relays and clients. The vulnerability has a low severity CVSS score (3.7) due to attack complexity and availability-only impact, with no confirmed active exploitation at time of analysis.
Technical ContextAI
Tor's conflux protocol implements out-of-order packet queue management to handle network packet reordering. The vulnerability exists in CWE-696 (Incorrect Behavior Order) - specifically, the accounting mechanism that tracks memory allocations for queued packets fails to properly decrement or validate queue state when clearing operations occur. This suggests a logic error in the queue lifecycle management where allocated memory is not correctly freed or accounted for during teardown, potentially leading to unbounded growth or exhaustion of memory resources dedicated to queue buffers. The conflux feature is part of Tor's relay and client communication stack, making all implementations potentially vulnerable if conflux is enabled.
RemediationAI
Upgrade Tor to version 0.4.9.7 or later. This version includes the upstream fix committed to the Tor repository (commit a198185ed863677d60eec120126730628dac35bb). Users running Tor relays or clients should apply this update as soon as possible via their package manager or by downloading directly from the Tor Project website (https://www.torproject.org/download/). If immediate patching is not feasible, operators may temporarily mitigate by disabling conflux protocol support via configuration settings if such options are available in their deployed version, though this may impact network performance and anonymity properties - consult Tor documentation for trade-offs. Monitor Tor relay logs for signs of memory exhaustion or repeated connection teardowns, which may indicate exploitation attempts.
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove
Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s
A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability
The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th
The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef
Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic
Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef
Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family
Same weakness CWE-696 – Incorrect Behavior Order
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28237
GHSA-7cv5-2ch3-g323