CVE-2026-44601
Tor 0.4.9.7 Circuit Queue Memory Double Close Crash
Publication date: 2026-05-07
Last updated on: 2026-05-08
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| torproject | tor | to 0.4.9.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-837 | The product requires that an actor should only be able to perform an action once, or to have only one unique action, but the product does not enforce or improperly enforces this restriction. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Tor versions before 0.4.9.7 and occurs when there is circuit queue memory pressure. It can cause a client crash due to a double close of a circuit, which means the software attempts to close the same circuit twice, leading to instability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
There is no information provided in the available context or resources about how CVE-2026-44601 affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
The primary impact of this vulnerability is that it can cause the Tor client to crash unexpectedly. This can disrupt your use of the Tor network, potentially causing loss of connectivity or interruption of anonymity services. The CVSS score indicates a low severity with no confidentiality or integrity impact, but it does affect availability.
What immediate steps should I take to mitigate this vulnerability?
The Tor Project strongly recommends upgrading to Tor version 0.4.9.7 immediately to fix this vulnerability.