CVE-2026-44601 Overview
CVE-2026-44601 is a denial-of-service vulnerability in the Tor anonymity network client, tracked internally by the Tor Project as TROVE-2026-009. The flaw affects Tor versions before 0.4.9.7 and triggers a client crash when circuit queue memory pressure exists. Under those conditions, Tor performs a double close of a circuit, leading to abnormal process termination. The issue is categorized under CWE-837: Improper Enforcement of a Single, Unique Action. Exploitation requires specific runtime conditions, and impact is limited to availability of the local Tor client.
Critical Impact
A remote condition involving circuit queue memory pressure can crash a Tor client through a double-close on the same circuit, disrupting the user's anonymous network connectivity until the process is restarted.
Affected Products
- Tor versions prior to 0.4.9.7
- Tor client builds relying on the affected circuit handling code path
- Downstream packages bundling vulnerable Tor releases
Discovery Timeline
- 2026-05-07 - CVE-2026-44601 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-44601
Vulnerability Analysis
The vulnerability lives in the Tor client's circuit lifecycle management. When the circuit queue accumulates pending cells under memory pressure, the cleanup logic can invoke the circuit close routine twice on the same circuit object. The duplicated close path violates the assumption that a circuit transitions from open to closed exactly once. The result is a process-level crash that terminates the Tor client and breaks any tunnels routed through it.
The defect is a logic-level enforcement failure rather than a memory corruption primitive. Confidentiality and integrity are not affected, and the impact is constrained to availability of the Tor client process. Exploitation conditions are narrow because the trigger depends on circuit queue memory pressure occurring at a specific moment in circuit teardown.
Root Cause
The root cause is improper enforcement of a single, unique action [CWE-837] in circuit close handling. Two independent code paths can each request a close on the same circuit when out-of-memory handling intersects with normal circuit teardown. The Tor Project addressed this in commit d4e3f6a440b58c2be661decf20c09548704907dc, which adjusts the close logic so that a circuit cannot be closed twice. Additional context is tracked in Tor Project Work Item #41237.
Attack Vector
The attack vector is network-based with high attack complexity. A remote actor would need to induce circuit queue memory pressure on the targeted client, for example by influencing traffic patterns through circuits the client has built. No authentication or user interaction is required, but the timing-dependent nature of the double close limits practical exploitation. Successful triggering produces a crash of the Tor process, denying anonymous network access until the client restarts. See the Openwall OSS-Security Discussion for additional analysis.
No verified public exploit code is available. Refer to the Tor Project Commit Update for the authoritative technical fix.
Detection Methods for CVE-2026-44601
Indicators of Compromise
- Unexpected termination of the tor process accompanied by assertion failures or messages referencing circuit close in notice.log or info.log.
- Repeated Tor client restarts on a host that previously ran stably, particularly under heavy circuit usage.
- System journal or supervisor entries showing Tor exiting with a non-zero status during periods of high network traffic.
Detection Strategies
- Inventory deployed Tor binaries and flag any version below 0.4.9.7 as vulnerable.
- Monitor Tor log files for warnings related to out-of-memory handling, circuit queue pressure, and double-close conditions.
- Correlate Tor process crashes with concurrent network telemetry to distinguish operational issues from targeted triggers.
Monitoring Recommendations
- Forward Tor logs and process exit events to a centralized logging or SIEM platform for trend analysis.
- Alert on repeated tor service restarts within short time windows on the same host.
- Track package versions across endpoints and servers to confirm patched builds remain installed after updates.
How to Mitigate CVE-2026-44601
Immediate Actions Required
- Upgrade all Tor installations to version 0.4.9.7 or later, which contains the upstream fix.
- Identify any embedded or bundled Tor components in third-party software and apply vendor-supplied updates that incorporate the patched release.
- Restart the Tor service after upgrading to ensure the patched binary is active.
Patch Information
The Tor Project released the fix in version 0.4.9.7. The corrective change is captured in commit d4e3f6a440b58c2be661decf20c09548704907dc and announced through the Tor Project Release Announcement. Operators relying on distribution packages should track their vendor's advisories for backported fixes.
Workarounds
- No supported workaround replaces the patch; upgrading to 0.4.9.7 is the recommended remediation.
- Where immediate upgrade is not possible, configure process supervision to automatically restart the Tor client on crash to limit availability impact.
- Reduce exposure to abnormal traffic conditions by tuning resource limits and monitoring memory utilization on hosts running Tor.
# Configuration example: verify installed Tor version and restart service after upgrade
tor --version
sudo systemctl restart tor
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
