Skip to main content

Tor EUVDEUVD-2026-28306

| CVE-2026-44603 LOW
Off-by-one Error (CWE-193)
2026-05-07 mitre GHSA-m47q-4224-6rvc
3.7
CVSS 3.1 · NVD

Severity by source

NVD PRIMARY
3.7 LOW
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
May 07, 2026 - 06:16 EUVD
Analysis Generated
May 07, 2026 - 04:45 vuln.today
CVE Published
May 07, 2026 - 03:21 nvd
LOW 3.7

DescriptionCVE.org

Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.

AnalysisAI

Out-of-bounds read by one byte in Tor before version 0.4.9.7 when processing malformed BEGIN cells allows remote unauthenticated attackers to cause a denial of service through information disclosure. The vulnerability has a low CVSS impact score (3.7) due to high attack complexity and limited availability impact, though the exact exploitation mechanics require Tor relay configuration and a specially crafted cell.

Technical ContextAI

Tor is an anonymization network that routes traffic through multiple relays using a cell-based protocol. The vulnerability exists in the BEGIN cell handler, which is part of Tor's circuit building protocol. A BEGIN cell initiates a new stream over an existing circuit. The out-of-bounds read (CWE-193: Off-by-one error) occurs when parsing a malformed BEGIN cell, allowing an attacker to read one byte of memory beyond the intended buffer boundary. This memory access violation could leak sensitive information from the Tor process memory or trigger an availability disruption depending on the memory region accessed.

RemediationAI

Upgrade Tor to version 0.4.9.7 or later immediately. This fix is available via the official Tor Project release channels at https://forum.torproject.org/c/news/tor-release-announcement/28. Users should run 'tor --version' to check their current version and update through their operating system package manager (apt, yum, brew, etc.) or by downloading the latest stable release from torproject.org. For users unable to patch immediately, restrict inbound connections to Tor relays to trusted sources if operating a relay; however, this is not a true workaround since Tor's design requires accepting connections from unknown peers. The recommended approach is prompt patching, as the fix has been available upstream and integrated into the stable release cycle.

More in Tor

View all
CVE-2017-16541 MEDIUM POC
6.5 Nov 04

Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discove

CVE-2021-38385 HIGH POC
7.5 Aug 30

Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-s

CVE-2018-0491 HIGH POC
7.5 Mar 05

A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. Rated high severity (CVSS 7.5), this vulnerability

CVE-2023-23589 MEDIUM POC
6.5 Jan 14

The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not th

CVE-2020-8516 MEDIUM POC
5.3 Feb 02

The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before att

CVE-2017-8823 HIGH
8.1 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2016-1254 HIGH
7.5 Dec 05

Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden servic

CVE-2016-8860 HIGH
7.5 Jan 04

Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data

CVE-2017-0375 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the r

CVE-2017-0376 HIGH
7.5 Jun 09

The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the c

CVE-2017-8821 HIGH
7.5 Dec 03

In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 bef

CVE-2017-0377 HIGH
7.5 Jul 02

Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family

Share

EUVD-2026-28306 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy