CVE-2026-44597 Overview
CVE-2026-44597 is an out-of-bounds read vulnerability in the Tor anonymity network software. The flaw, tracked internally as TROVE-2026-011, exists in versions of Tor prior to 0.4.9.7. The vulnerability triggers when an END, TRUNCATE, or TRUNCATED cell arrives without a reason value in its payload. Tor's cell parsing logic reads beyond the allocated payload buffer in this condition. The issue is classified under [CWE-684] (Incorrect Provision of Specified Functionality). An attacker can reach the vulnerable code path remotely over the Tor protocol without authentication or user interaction.
Critical Impact
Remote attackers can trigger an out-of-bounds memory read in Tor processes by sending malformed control cells, potentially causing process instability or limited information exposure.
Affected Products
- Tor versions prior to 0.4.9.7
- Tor relays, clients, and bridges running affected releases
- Downstream packages and distributions bundling vulnerable Tor versions
Discovery Timeline
- 2026-05-07 - CVE-2026-44597 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-44597
Vulnerability Analysis
The vulnerability resides in Tor's relay cell handling code. Tor uses fixed-size cells to multiplex circuit traffic between nodes. Three cell types — END, TRUNCATE, and TRUNCATED — carry an optional single-byte reason code in their payload. The parsing routine assumes this reason byte is present and reads it directly from the payload buffer. When a peer sends one of these cells with an empty payload, Tor reads memory adjacent to the cell buffer. This constitutes an out-of-bounds read across cell boundaries within the relay processing path.
Root Cause
The root cause is missing length validation before accessing the reason field. The code path does not verify that the cell payload contains at least one byte before dereferencing the reason offset. This omission allows the parser to read uninitialized or adjacent memory contents. The upstream fix introduces an explicit length check before the read operation, as documented in the Tor Project commit 8f98054b.
Attack Vector
An attacker controlling a Tor relay or acting as a circuit peer can craft and forward malformed END, TRUNCATE, or TRUNCATED cells with truncated payloads. The malicious cell is delivered through the standard Tor protocol over established TLS connections. Exploitation requires no credentials or user interaction. The high attack complexity reflects timing and network position requirements rather than technical barriers in the bug itself. Successful exploitation produces availability impact through process disruption, with no direct confidentiality or integrity compromise based on the published scoring.
The vulnerability mechanism is described in prose because no verified public exploit code exists. Refer to the Openwall OSS Security discussion and the Tor Project work item 41254 for technical context.
Detection Methods for CVE-2026-44597
Indicators of Compromise
- Unexpected Tor process crashes or restarts on relays, bridges, or clients running versions prior to 0.4.9.7
- Tor log entries indicating malformed cell parsing errors or abnormal circuit teardown events
- Receipt of END, TRUNCATE, or TRUNCATED cells with zero-length payloads from upstream peers
Detection Strategies
- Inventory all hosts running Tor and identify versions below 0.4.9.7 using package management or binary version queries
- Enable Tor info-level logging to capture cell parsing anomalies and correlate with process termination events
- Monitor host telemetry for repeated Tor daemon segmentation faults or watchdog-triggered restarts
Monitoring Recommendations
- Forward Tor service logs and host crash telemetry to a centralized logging platform for correlation
- Track outbound and inbound circuit failure rates as deviations may indicate exploitation attempts
- Alert on Tor process exits with non-zero status codes on relay infrastructure
How to Mitigate CVE-2026-44597
Immediate Actions Required
- Upgrade all Tor installations to version 0.4.9.7 or later as announced in the Tor Project release announcement
- Audit relay, bridge, and client deployments for unpatched binaries across all operating systems
- Restart Tor services after upgrade to ensure the patched binary is loaded into memory
Patch Information
The Tor Project addressed this issue in version 0.4.9.7. The fix adds explicit payload length validation before reading the reason byte from END, TRUNCATE, and TRUNCATED cells. The patch is published in Tor Project commit 8f98054b. Distribution maintainers should rebuild downstream packages against the patched source.
Workarounds
- No supported workaround exists short of upgrading to the patched release
- Operators of high-value relays should prioritize the upgrade and verify version strings post-deployment
- Reduce exposure by limiting which untrusted peers can establish circuits through controlled relay policies where operationally feasible
# Verify installed Tor version after upgrade
tor --version
# Example package upgrade on Debian-based systems
sudo apt update && sudo apt install --only-upgrade tor
sudo systemctl restart tor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
