CVE-2026-44600 Overview
CVE-2026-44600 affects Tor versions before 0.4.9.7. The Tor Project tracks the issue internally as TROVE-2026-010. The flaw stems from improper accounting of the conflux out-of-order queue when the queue is cleared. The conflux feature splits and recombines circuit traffic across multiple paths to improve performance and resilience.
The vulnerability is classified under CWE-696 (Incorrect Behavior Order). It produces low availability impact with no compromise of confidentiality or integrity. Attackers can reach the affected logic over the network without authentication, but exploitation has high complexity.
Critical Impact
Improper queue accounting in Tor's conflux logic can produce inconsistent internal state, potentially leading to limited availability degradation in affected relays and clients.
Affected Products
- Tor versions prior to 0.4.9.7
- Tor relays and clients that use the conflux feature
- Downstream distributions packaging vulnerable Tor releases
Discovery Timeline
- 2026-05-07 - CVE CVE-2026-44600 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-44600
Vulnerability Analysis
Tor's conflux subsystem multiplexes traffic across multiple circuits to combine bandwidth and reduce latency. To handle packets that arrive on the slower leg, conflux maintains an out-of-order queue that buffers cells until in-order delivery is possible.
When the queue is cleared, internal counters tracking queued cells are not updated correctly. This produces a mismatch between the actual queue state and the bookkeeping variables used by surrounding logic. The discrepancy violates ordering invariants that other code paths rely on, matching the behavior described by CWE-696.
The Tor Project addressed the issue in commit a198185ed863677d60eec120126730628dac35bb and tracks remediation under work item #41251. Full technical context is available in the Tor Project Commit Update and the OpenWall OSS-Security Discussion.
Root Cause
The queue clearing routine resets buffered data without synchronizing the counters that track outstanding cells. Subsequent operations consume these stale counters and reach incorrect decisions about queue capacity and flow control.
Attack Vector
A remote peer participating in a conflux-enabled circuit can drive the queue into the clearing path. Triggering the inconsistent state requires specific conditions, which raises attack complexity. Successful triggering produces availability impact limited to the affected Tor process, with no leakage of user content or circuit identity.
The vulnerability does not enable code execution and does not weaken Tor's anonymity guarantees. Refer to the Tor Project Release Announcement for the operator-facing summary.
Detection Methods for CVE-2026-44600
Indicators of Compromise
- Tor process logs showing repeated conflux circuit teardowns or unexpected queue resets
- Crashes, hangs, or assertion failures referencing conflux modules in Tor releases earlier than 0.4.9.7
- Anomalous spikes in conflux circuit churn from a small set of remote peers
Detection Strategies
- Inventory all Tor binaries across relays, bridges, and client systems and flag versions earlier than 0.4.9.7.
- Monitor Tor notice and warn log levels for conflux-related warnings and unexpected circuit closures.
- Correlate availability dips on Tor services with control port GETINFO data to detect circuit-level instability.
Monitoring Recommendations
- Forward Tor logs to a centralized log platform and alert on conflux subsystem warnings.
- Track relay uptime and bandwidth metrics for sudden degradation that aligns with conflux activity.
- Validate package versions during routine configuration audits to confirm patched builds remain in place.
How to Mitigate CVE-2026-44600
Immediate Actions Required
- Upgrade all Tor installations to version 0.4.9.7 or later as published in the Tor Project Release Announcement.
- Restart Tor services after upgrading to ensure the patched conflux logic is loaded.
- Verify operating system package repositories ship the fixed version before deploying new relays or bridges.
Patch Information
The fix lands in Tor 0.4.9.7 and is implemented in commit a198185ed863677d60eec120126730628dac35bb. Tracking and review notes are available in Tor Project Work Item #41251. Operators using distribution packages should pull the corresponding backported builds.
Workarounds
- Disable conflux usage through torrc options where operationally acceptable until upgrades complete.
- Restrict relay exposure by enforcing rate limits and bandwidth caps to reduce the surface for queue manipulation.
- Apply distribution-level updates promptly and validate that systemd or init scripts restart the Tor daemon after package replacement.
# Configuration example
# Verify installed Tor version meets the patched release
tor --version
# Upgrade on Debian/Ubuntu systems
sudo apt update && sudo apt install --only-upgrade tor
# Restart and confirm service health
sudo systemctl restart tor
sudo systemctl status tor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
