External risk intelligence

Tor flaw could let attackers take control of your systems or disrupt services.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-44597

A flaw in Tor could let attackers disrupt services or access sensitive data by sending malformed network messages. This issue is particularly concerning because Tor relays are designed to be accessible from the internet.

5Halo Surface Signal

Torproject Tor

before 0.4.9.7

External exposure likelihood

Halo Surface Signal score for CVE-2026-44597

Tor relay nodes are designed to function as public-facing internet services, accepting and processing unauthenticated network traffic from the public internet to facilitate anonymous routing. Since the vulnerability involves processing protocol control cells on these exposed services, the attack surface is inherently and intentionally public-facing in all standard deployments.

PCI scan relevance

PCI Relevance for CVE-2026-44597

Yes

CVE-2026-44597 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Tor allows for an out-of-bounds read, which is a type of sensitive data exposure and could lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in Tor allows an attacker to read unintended memory when processing certain network cells. This could potentially expose sensitive information or cause instability in the Tor network.

  • Affects Tor network.
  • Reachable from the internet.
  • Requires no special access.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this flaw by sending specially crafted cells to a vulnerable Tor relay. This could cause the relay to crash or potentially leak information, disrupting the Tor network and compromising user anonymity.

  • Target: Tor relays.
  • Exploit: Malformed circuit cells.
  • Impact: Denial-of-service or information disclosure.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Tor's handling of certain cell types presents a significant risk due to its network accessibility and critical impact. Attackers would likely find this attractive as it targets a widely deployed anonymity network, potentially enabling widespread disruption or information leakage without prior authentication.

  • Exploitation is concerning given public-facing nature.
  • No confirmed public exploits, but exploit development is plausible.
  • Recency shows active security focus on Tor.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize updating Tor to version 0.4.9.7 or later to address the critical out-of-bounds read vulnerability. If immediate patching is not feasible, consider isolating or disabling affected Tor relays to prevent potential exploitation. Continuous monitoring for suspicious network activity on Tor nodes is also recommended.

  • Update Tor to 0.4.9.7+.
  • Isolate or disable affected services.
  • Monitor for suspicious traffic patterns.

Frequently asked questions

What is Tor and what is it used for?

Tor is software that enables anonymous communication online. It's used by people who want to protect their privacy and circumvent censorship by routing their internet traffic through a volunteer overlay network. This makes it harder to track users' online activities and where they are connecting from.

What kind of weakness does CVE-2026-44597 represent in Tor?

CVE-2026-44597 is an out-of-bounds read vulnerability. This means that when Tor processes certain types of network cells, it may attempt to read data beyond the intended buffer, potentially leading to unintended memory access.

How can an attacker trigger the vulnerability in Tor?

An attacker can trigger this vulnerability by sending specially crafted network cells, specifically END, TRUNCATE, or TRUNCATED cells, that lack a required reason in their payload. This vulnerability is not triggered by standard or correctly formatted cells.

Who should be concerned about this CVE and why?

Anyone running Tor relay nodes should be concerned, as these are often internet-facing services. The Halo Surface Signal indicates this vulnerability is very likely to be exploited externally because Tor relays are designed to accept traffic from the public internet, making them accessible targets.

What are the first steps to respond to this Tor vulnerability?

The primary response is to update Tor to version 0.4.9.7 or later. If an immediate update isn't possible, consider isolating or disabling affected Tor relays until they can be patched to prevent potential exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished