Description
Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010.
Published: 2026-05-07
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tor before version 0.4.9.7 mishandles the accounting of the conflux out-of-order queue when clearing it, a flaw identified as TROVE‑2026‑010. This incorrect accounting can leave stale or duplicated entries in the queue, causing the process to stall or process outdated data. The resulting inconsistent state can degrade performance or halt the relay, representing a potential denial of service. The weakness corresponds to CWE‑696, improper use of resources that can lead to incorrect state management.

Affected Systems

The vulnerability affects the Tor network client distributed by the Tor Project. All releases before 0.4.9.7 are potentially impacted, while 0.4.9.7 and later include the fix.

Risk and Exploitability

The CVSS score of 3.7 indicates a low severity and the absence of an EPSS score or KEV listing suggests that exploitation is unlikely. The likely attack vector is remote via normal Tor traffic, although it may also be triggered by local control over the daemon. The risk profile remains low but should not be ignored for critical deployments.

Generated by OpenCVE AI on May 7, 2026 at 05:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tor client to version 0.4.9.7 or later
  • If an upgrade cannot be performed immediately, restart the Tor process to clear any in‑memory queues and prevent accumulation of stale entries
  • Continuously monitor network throughput and latency; if abnormal queue growth or performance degradation is observed, schedule an expedited upgrade

Generated by OpenCVE AI on May 7, 2026 at 05:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 05:45:00 +0000

Type Values Removed Values Added
Title Mismanaged Queue State Leading to Potential Denial of Service in Tor

Thu, 07 May 2026 04:15:00 +0000

Type Values Removed Values Added
Description Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue. Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010.

Thu, 07 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue.
First Time appeared Torproject
Torproject tor
Weaknesses CWE-696
CPEs cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*
Vendors & Products Torproject
Torproject tor
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Torproject Tor
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-07T12:46:59.949Z

Reserved: 2026-05-07T02:20:50.690Z

Link: CVE-2026-44600

cve-icon Vulnrichment

Updated: 2026-05-07T12:46:50.372Z

cve-icon NVD

Status : Received

Published: 2026-05-07T03:16:08.523

Modified: 2026-05-07T04:16:34.870

Link: CVE-2026-44600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T05:45:06Z

Weaknesses