CVE-2026-44603 Overview
CVE-2026-44603 is an out-of-bounds read vulnerability in the Tor daemon affecting versions before 0.4.9.7. The flaw, tracked internally by the Tor Project as TROVE-2026-007, occurs when Tor processes a malformed BEGIN cell, causing the implementation to read one byte beyond an allocated buffer. The issue is classified under CWE-193: Off-by-one Error. Successful triggering requires a network-reachable adversary to send a crafted relay cell, but the resulting impact is limited to availability. No code execution or information disclosure has been demonstrated.
Critical Impact
A remote attacker can send a malformed BEGIN cell to a vulnerable Tor instance to trigger an out-of-bounds read by one byte, potentially causing process instability or crash.
Affected Products
- Tor daemon versions prior to 0.4.9.7
- Tor relay deployments running affected releases
- Downstream packages bundling vulnerable Tor builds
Discovery Timeline
- 2026-05-07 - CVE-2026-44603 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-44603
Vulnerability Analysis
The vulnerability is an off-by-one out-of-bounds read in Tor's handling of BEGIN cells. BEGIN cells are relay-layer messages used to request that an exit relay open a TCP connection to a specified host and port on behalf of a client. When parsing a malformed BEGIN cell, Tor reads one byte past the end of the cell's payload buffer. The read is bounded to a single byte adjacent to the allocation, which constrains the practical impact to availability rather than confidentiality or integrity. The Tor Project has documented the fix in commit 1703df3d439c83c2184e259fad1cfa19240f9c89 and tracked remediation work under Tor Project work item #41245.
Root Cause
The root cause is improper boundary validation when parsing the address and port fields of a BEGIN cell payload. The parser advances one byte beyond the validated region while scanning for terminators or delimiters in attacker-controlled input. This category of defect is captured by CWE-193, which describes off-by-one errors in loop or buffer boundary calculations.
Attack Vector
The attack vector is network-based. An adversary capable of sending relay cells to a vulnerable Tor process, such as a malicious client or an upstream relay in a circuit, can deliver a crafted BEGIN cell. The high attack complexity reflects the conditions required to reliably reach the parsing path with attacker-controlled bytes adjacent to the buffer boundary. No authentication or user interaction is required.
No verified public proof-of-concept code is available. See the Tor Project commit details and the Openwall OSS Security discussion for technical specifics on the parser change.
Detection Methods for CVE-2026-44603
Indicators of Compromise
- Unexpected restarts or abnormal termination of the tor daemon process without operator action.
- Crash artifacts such as core dumps referencing BEGIN cell processing functions in Tor's relay code.
- Repeated short-lived circuit failures originating from the same upstream peer.
Detection Strategies
- Monitor Tor notice and warn log entries for parser errors, protocol violations, or assertions emitted while handling relay cells.
- Compare deployed Tor versions across hosts against the fixed version 0.4.9.7 using package inventory or configuration management tooling.
- Correlate process exit codes for tor with network telemetry to identify crashes that follow inbound relay traffic from specific peers.
Monitoring Recommendations
- Enable verbose protocol logging on Tor relays during the patch rollout window to surface malformed cell events.
- Track service uptime and restart counts for tor units under systemd or equivalent supervisors.
- Forward Tor logs and host process events to a centralized logging or SIEM platform for cross-host correlation.
How to Mitigate CVE-2026-44603
Immediate Actions Required
- Upgrade all Tor installations to version 0.4.9.7 or later as published in the Tor Project release announcement.
- Inventory all systems running the tor daemon, including bundled distributions, relays, bridges, and onion service hosts.
- Validate the upgrade by confirming the running version with tor --version after restart.
Patch Information
The Tor Project addressed CVE-2026-44603 in version 0.4.9.7. The corrective change is recorded in commit 1703df3d439c83c2184e259fad1cfa19240f9c89. Operators should obtain updated builds from the official Tor Project distribution channels or their operating system vendor's package repositories. Downstream maintainers should rebuild any packaged products that statically link or vendor the Tor source tree.
Workarounds
- No vendor-supplied workaround replaces the upgrade; apply version 0.4.9.7 as the primary remediation.
- Restrict inbound connectivity on non-relay deployments to trusted peers where operationally feasible until patching completes.
- Configure process supervision to automatically restart the tor daemon to limit availability impact during the exposure window.
# Configuration example
# Verify installed Tor version after upgrade
tor --version
# Example systemd restart policy for the tor service
# /etc/systemd/system/tor.service.d/override.conf
[Service]
Restart=on-failure
RestartSec=5s
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
