NULL Pointer Dereference in Tor Software by Tor Project
CVE-2026-44602

3.7LOW

Key Information:

Vendor: Torproject
Status: Tor
Vendor: CVE Published:; 7 May 2026

What is CVE-2026-44602?

The Tor software version prior to 0.4.9.7 is susceptible to a NULL pointer dereference when handling CERT cells received in a non-sequential order. This flaw can interfere with the application's ability to process these cells correctly, potentially leading to application crashes. Users of affected versions are advised to upgrade to the latest release to mitigate risks associated with this vulnerability and ensure the integrity of their connections.

Affected Version(s)

Tor 0 < 0.4.9.7

References

https://forum.torproject.org/c/news/tor-release-announcem...

https://www.openwall.com/lists/oss-security/2026/05/06/8

https://gitlab.torproject.org/tpo/core/tor/-/work_items/4...

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
May 7, 2026

CVE-2026-44602 Data

JSON

Torproject

What is CVE-2026-44602?

Affected Version(s)

References

CVSS V3.1

Timeline