Description
Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.
Published: 2026-05-07
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tor's relay cell handling contains a flaw that lets an adversary trigger an out-of-bounds read when an END, TRUNCATE, or TRUNCATED cell omits a reason in its payload. This omission causes an uninitialized memory read, which can expose sensitive data or lead to a program crash, and is identified as CWE‑684, a Resource Management weakness.

Affected Systems

The vulnerability affects torproject:Tor versions prior to 0.4.9.7. Any Tor relay node that processes END, TRUNCATE, or TRUNCATED cells without a reason is vulnerable. The issue is specific to the Tor client/server product.

Risk and Exploitability

The CVSS score of 3.7 indicates a low‑severity vulnerability. With no EPSS data and no KEV listing, evidence of active exploitation is lacking, which suggests a limited risk. The flaw allows an out‑of‑bounds read that could expose data but does not provide code execution. The most likely attack vector is a attacker sending a crafted END, TRUNCATE, or TRUNCATED cell lacking a reason to a vulnerable relay over the data channel.

Generated by OpenCVE AI on May 7, 2026 at 05:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Tor release 0.4.9.7 or newer to fix the out‑of‑bounds read.
  • If an immediate update is not possible, disable processing of END, TRUNCATE, or TRUNCATED cells that lack a reason in the relay’s configuration or use a firewall rule to drop such cells.
  • Patch or recompile the Tor code with the fix from commit 8f98054b1982d00a14639864d03e9afd90b87481 when updates are unavailable.

Generated by OpenCVE AI on May 7, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Out-of-bounds Read in Tor Relay Cell Handling for END, TRUNCATE Cells Without Reason

Thu, 07 May 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Torproject
Torproject tor
CPEs cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*
Vendors & Products Torproject
Torproject tor
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.
Weaknesses CWE-684
References

Subscriptions

Torproject Tor
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T13:12:29.516Z

Reserved: 2026-05-07T00:56:46.891Z

Link: CVE-2026-44597

cve-icon Vulnrichment

Updated: 2026-05-07T13:12:20.932Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-07T01:16:01.163

Modified: 2026-05-07T17:34:30.283

Link: CVE-2026-44597

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T05:30:22Z

Weaknesses