CVE-2026-44599 Overview
CVE-2026-44599 is a low-severity information exposure vulnerability in the Tor anonymity network, tracked internally by the Tor Project as TROVE-2026-008. The flaw affects Tor versions before 0.4.9.7. Vulnerable Tor instances can attempt or accept BEGIN_DIR cells over conflux legs, a behavior that should not occur on multipath circuits used for general traffic. The issue is classified under [CWE-669: Incorrect Resource Transfer Between Spheres], indicating that directory-fetch traffic can cross into circuit contexts where it does not belong. The vulnerability requires specific network conditions to trigger and does not enable code execution or full data disclosure.
Critical Impact
Tor relays and clients running versions prior to 0.4.9.7 may leak limited integrity guarantees by accepting BEGIN_DIR cells through conflux legs, a multipath transport not intended for directory traffic.
Affected Products
- Tor versions prior to 0.4.9.7
- Tor relays and clients with conflux multipath transport enabled
- Downstream packages bundling vulnerable Tor releases
Discovery Timeline
- 2026-05-07 - CVE-2026-44599 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-44599
Vulnerability Analysis
The vulnerability resides in how Tor handles BEGIN_DIR cells when conflux is in use. Conflux is a Tor feature that splits traffic across multiple circuit legs to improve performance and resilience. BEGIN_DIR is a control cell used by clients to open a stream for fetching directory information from a relay. The two mechanisms should remain separate. In affected versions, Tor can attempt to send or accept BEGIN_DIR cells across conflux legs, mixing directory request semantics with general-purpose multipath circuits.
This cross-context handling violates the design contract between conflux transport and directory protocol streams. The exposure is bounded: the [CWE-669] classification reflects an improper resource transfer rather than memory corruption or authentication bypass. Because conditions are narrow and impact is limited to integrity, exploitation provides little leverage to an attacker beyond protocol-level anomalies.
Root Cause
The root cause is missing validation of stream type against transport context. Tor's stream handling code did not reject BEGIN_DIR requests when the underlying circuit was a conflux leg. The fix, applied in commit 50f90ba849088247734786922855c22661c6fa03, blocks attempting and accepting BEGIN_DIR over conflux legs to restore the intended separation.
Attack Vector
An attacker on the network must induce a target Tor instance to negotiate a conflux circuit and then steer or accept a BEGIN_DIR cell through one of its legs. The attack complexity is high and requires no privileges or user interaction. There is no public exploit, the issue is not listed in the CISA Known Exploited Vulnerabilities catalog, and no in-the-wild abuse has been reported. See the Tor Project Work Item and the OpenWall OSS Security Discussion for protocol-level details.
Detection Methods for CVE-2026-44599
Indicators of Compromise
- Tor relay logs showing BEGIN_DIR cells received on circuits flagged as conflux legs
- Anomalous directory fetch streams correlated with multipath circuit identifiers
- Tor process versions reporting builds earlier than 0.4.9.7
Detection Strategies
- Inventory all Tor binaries and packages across endpoints and servers, then flag versions prior to 0.4.9.7
- Enable verbose protocol logging on Tor relays under controlled conditions to surface unexpected BEGIN_DIR activity on conflux legs
- Correlate Tor process telemetry with network metadata to identify hosts running outdated builds
Monitoring Recommendations
- Track package manager events for tor upgrades and downgrades to ensure patched versions remain in place
- Alert on Tor service restarts that revert to versions prior to 0.4.9.7
- Monitor the Tor Project Release Announcement channel for follow-up advisories
How to Mitigate CVE-2026-44599
Immediate Actions Required
- Upgrade all Tor instances to version 0.4.9.7 or later across relays, bridges, and clients
- Audit downstream distributions and bundled applications such as Tor Browser for the patched Tor library
- Restart Tor services after upgrade to ensure the vulnerable code paths are unloaded
Patch Information
The Tor Project addressed this issue in version 0.4.9.7. The corrective change is published in commit 50f90ba849088247734786922855c22661c6fa03, which prevents Tor from attempting or accepting BEGIN_DIR cells via conflux legs. Refer to the Tor Project Commit Update for the exact code change and the Tor Project Release Announcement for release notes.
Workarounds
- Disable conflux on relays and clients where operationally acceptable until patched binaries are deployed
- Restrict directory fetch traffic to known authority and HSDir circuits using existing torrc policy controls
- Apply distribution security updates promptly to receive backported fixes
# Verify installed Tor version and upgrade on Debian/Ubuntu
tor --version
sudo apt-get update && sudo apt-get install --only-upgrade tor
sudo systemctl restart tor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
