CVE-2026-44602 Overview
CVE-2026-44602 is a NULL pointer dereference vulnerability in the Tor anonymity network daemon, tracked internally by the Tor Project as TROVE-2026-006. The flaw affects Tor versions before 0.4.9.7 and triggers when a CERT cell is received out of order during the link handshake. A remote attacker can send a malformed cell sequence over the network to crash the Tor process, producing a denial-of-service condition. The issue is classified under CWE-476: NULL Pointer Dereference.
Critical Impact
Remote attackers can crash Tor relays or clients by sending a CERT cell out of the expected handshake sequence, disrupting availability of the affected node.
Affected Products
- Tor daemon versions prior to 0.4.9.7
- Tor relays, bridges, and clients built on the affected upstream codebase
- Downstream packages bundling vulnerable Tor builds
Discovery Timeline
- 2026-05-07 - CVE-2026-44602 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-44602
Vulnerability Analysis
The vulnerability resides in Tor's link protocol handling, where peers exchange CERT, AUTH_CHALLENGE, AUTHENTICATE, and NETINFO cells during connection setup. The receiving code assumes a specific ordering of cells and dereferences pointers initialized by earlier handshake states. When a CERT cell arrives outside that expected sequence, a required structure remains unset and the code accesses a NULL pointer, terminating the process.
Because the trigger is reachable before authentication completes, no credentials or onion-service interaction are required. The impact is limited to availability: the Tor process crashes, but no memory disclosure or code execution path has been reported. Repeated exploitation can keep a relay or client offline, degrading network capacity and reachability for users depending on the affected node.
Root Cause
The defect is a missing state validation check in the cell dispatcher. The handler proceeds to operate on a connection-state object expected to be populated by a prior handshake step. When the peer sends CERT out of order, that object is NULL, and the dereference faults the daemon. The upstream fix adds the appropriate ordering and nullity checks. See the Tor Project commit details.
Attack Vector
Exploitation occurs over the network on any TCP port where the target Tor instance accepts inbound link connections. The attacker establishes a TLS connection to the victim and emits a CERT cell at an unexpected point in the handshake. Attack complexity is high because the attacker must construct a valid Tor link-layer session up to the trigger point. The vulnerability can be exercised from any internet-reachable host without prior authentication.
No public proof-of-concept exploit has been associated with this CVE at the time of publication. Technical context is documented in the Tor Project work item and the OpenWall OSS Security update.
Detection Methods for CVE-2026-44602
Indicators of Compromise
- Unexpected termination of the tor process with a segmentation fault signature in system logs or coredump artifacts.
- Tor notice or warn log entries referencing handshake failures or abnormal connection teardown immediately before a crash.
- Repeated short-lived inbound TLS connections from the same remote address followed by daemon restart events.
Detection Strategies
- Monitor service-supervisor logs (systemd, runit, custom wrappers) for unscheduled restarts of the tor unit.
- Correlate Tor notice.log and info.log entries with operating system kernel messages reporting SIGSEGV in the Tor binary.
- Track inbound link-layer connection patterns to identify repeated handshake attempts that terminate before NETINFO exchange.
Monitoring Recommendations
- Alert on Tor process exit codes consistent with a crash, particularly across multiple relays in the same operator fleet.
- Capture and retain core dumps for forensic review to confirm the NULL pointer dereference signature.
- Watch the OpenWall OSS Security list and the Tor release announcement forum for follow-up advisories.
How to Mitigate CVE-2026-44602
Immediate Actions Required
- Upgrade all Tor installations to version 0.4.9.7 or later, which contains the upstream fix.
- Inventory relays, bridges, clients, and embedded Tor components to confirm none run pre-0.4.9.7 builds.
- Restart the tor service after package upgrade to ensure the patched binary is active in memory.
Patch Information
The Tor Project addressed the issue in commit df7d5174ef41814d806c8ede776e230cd30ac12b and shipped the fix in Tor 0.4.9.7. Refer to the Tor Project release announcement for distribution details and to the commit on GitLab for the source-level change.
Workarounds
- Restrict inbound ORPort exposure to known peers where operationally feasible until the upgrade is deployed.
- Deploy automatic process supervision so a crashed tor daemon restarts quickly and minimizes outage windows.
- Rate-limit inbound TLS connections at the network edge to slow repeated exploitation attempts.
# Verify installed Tor version and upgrade on Debian/Ubuntu
tor --version
sudo apt update && sudo apt install --only-upgrade tor
sudo systemctl restart tor
tor --version # Confirm 0.4.9.7 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
