External risk intelligence

Tor can be disrupted by an attacker due to a critical flaw.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-44603

Tor has a critical flaw that could crash it or expose sensitive data, affecting anyone using it for anonymity and requiring immediate attention to update the software.

5Halo Surface Signal

Torproject Tor

before 0.4.9.7

External exposure likelihood

Halo Surface Signal score for CVE-2026-44603

Tor is designed to function as an anonymization relay, which requires the service to be directly exposed to the public internet to accept and route traffic from untrusted sources. Its core operational purpose is to maintain internet-facing listener ports that process incoming network cells, making it inherently public-facing by design in any standard deployment.

PCI scan relevance

PCI Relevance for CVE-2026-44603

Yes

CVE-2026-44603 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Tor allows for an out-of-bounds read, potentially impacting confidentiality and availability. The critical severity score suggests it is relevant for PCI scanning.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Tor can allow an attacker to read memory outside of allocated buffer space. This could potentially lead to the disclosure of sensitive information or cause the application to crash.

Remote attackers can trigger this issue.
This affects the integrity and availability of Tor services.
Immediate attention is warranted due to the criticality.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending a specially crafted BEGIN cell to a vulnerable Tor client or relay. This malformed cell could trigger an out-of-bounds read, potentially leading to a denial-of-service condition or, with further exploitation, information disclosure or arbitrary code execution.

Network access required.
Malformed BEGIN cell triggers vulnerability.
One-byte read causes crash.

Live Threat

Current exploitation, exposure, and threat context

The vulnerability in Tor before 0.4.9.7 allows for an out-of-bounds read, which attackers may find attractive because Tor is a widely used tool for anonymity. The fact that this is a critical vulnerability with a network attack vector suggests it could be leveraged remotely. However, without public exploit code or active exploitation signals, the immediate threat picture is uncertain.

Exploitation is possible remotely.
No public exploits are known.
No KEV signals exist.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams should prioritize identifying and updating all Tor instances to version 0.4.9.7 or later to address the critical vulnerability that could lead to a denial-of-service or information leak. If immediate patching is not possible, focus on network-level controls to limit exposure and monitor for any signs of exploitation.

Update Tor to version 0.4.9.7.
Implement firewall rules to restrict access.
Monitor Tor logs for abnormal cell activity.

Frequently asked questions

What is Tor and what is it used for?

Tor is software that enables anonymous communication online. It is commonly used to protect users' privacy by routing internet traffic through a volunteer overlay network consisting of thousands of relays. This makes it difficult for anyone to track online activities or the identity of the user.

What is CVE-2026-44603? What kind of weakness does it represent?

CVE-2026-44603 is a critical vulnerability in Tor. It is classified as an out-of-bounds read, specifically a one-byte read outside of allocated memory, which could potentially disrupt Tor services or expose sensitive information.

How can an attacker trigger this Tor vulnerability?

An attacker can trigger this vulnerability by sending a specifically crafted, malformed BEGIN cell to a Tor client or relay. This malformed cell exploits the flaw in how Tor processes certain types of cells, leading to the out-of-bounds read.

Who should be concerned about this Tor vulnerability?

Anyone running Tor instances that are internet-facing should be concerned. Because Tor's primary function is to be accessible from the internet to route anonymized traffic, these instances are considered external-facing and at higher risk.

What is the first step to address this Tor vulnerability?

The most important first step is to update all Tor instances to version 0.4.9.7 or a later version. This update includes the necessary fixes to address the out-of-bounds read vulnerability.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.