Information Disclosure Vulnerability in Tor Browser by The Tor Project
CVE-2021-46702

5.5MEDIUM

Key Information:

Vendor: Torproject
Status: Tor
Vendor: CVE Published:; 26 February 2022

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2021-46702?

The Tor Browser version 9.0.7 is susceptible to an information disclosure vulnerability on Windows 10 build 10586. Local attackers may exploit this flaw to bypass the browser's anonymizing features, allowing access to critical information about onion services that the user has visited. The vulnerability stems from the inability of the browser to effectively deallocate memory, leaving sensitive data retrievable from RAM for an extended period, even hours after the application has been closed. This raises significant privacy concerns for users relying on the Tor network for anonymity.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-46702
Created by malakkf

References

https://www.sciencedirect.com/science/article/pii/S016740...

x_refsource_MISC

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 26, 2022
👾
Exploit known to exist
Feb 26, 2022
Vulnerability published
Feb 26, 2022
Vulnerability Reserved
Feb 26, 2022

CVE-2021-46702 Data

JSON