DEBIAN-CVE-2026-44597

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-44597

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-44597.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-44597

Upstream

CVE-2026-44597

Published

2026-05-07T01:16:01.163Z

Modified

2026-06-15T19:06:28.018801433Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator

Summary

[none]

Details

Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.

References

https://security-tracker.debian.org/tracker/CVE-2026-44597

Affected packages

Debian:11 / tor

Package

Name: tor
Purl: pkg:deb/debian/tor?arch=source&distro=bullseye

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.4.5.9-1

0.4.5.10-1~bpo10+1

0.4.5.10-1~deb11u1

0.4.5.10-1

0.4.5.16-1

0.4.6.2-alpha-1

0.4.6.3-rc-1

0.4.6.4-rc-1

0.4.6.6-1

0.4.6.7-1

0.4.6.8-1~bpo10+2

0.4.6.8-1~bpo11+2

0.4.6.8-1

0.4.6.9-1

0.4.6.10-1~bpo10+1

0.4.6.10-1~bpo11+1

0.4.6.10-1

0.4.7.3-alpha-1

0.4.7.4-alpha-1

0.4.7.5-alpha-1

0.4.7.6-rc-1

0.4.7.7-1~bpo10+1

0.4.7.7-1~bpo11+1

0.4.7.7-1

0.4.7.8-1~bpo10+1

0.4.7.8-1~bpo11+1

0.4.7.8-1

0.4.7.9-1

0.4.7.10-1~bpo10+1

0.4.7.10-1~bpo11+1

0.4.7.10-1

0.4.7.11-1~bpo11+1

0.4.7.11-1

0.4.7.12-1

0.4.7.13-1~bpo11+1

0.4.7.13-1

0.4.7.16-1

0.4.8.4-2

0.4.8.5-1

0.4.8.6-1

0.4.8.7-1

0.4.8.8-1

0.4.8.9-1~bpo11+1

0.4.8.9-1~bpo12+1

0.4.8.9-1

0.4.8.10-1~bpo11+1

0.4.8.10-1~bpo12+1

0.4.8.10-1

0.4.8.11-1~bpo11+1

0.4.8.11-1~bpo12+1

0.4.8.11-1

0.4.8.12-1~bpo11+1

0.4.8.12-1~bpo12+1

0.4.8.12-1

0.4.8.12-1.1

0.4.8.13-1

0.4.8.13-2~bpo12+1

0.4.8.13-2

0.4.8.14-1~bpo12+1

0.4.8.14-1

0.4.8.16-1

0.4.8.21-1~bpo12+1

0.4.8.21-1~bpo13+1

0.4.8.21-1~bpo13+2

0.4.8.21-1

0.4.8.22-1~bpo12+1

0.4.8.22-1~bpo13+1

0.4.8.22-1

0.4.9.5-1

0.4.9.5-2~bpo12+1

0.4.9.5-2~bpo13+1

0.4.9.5-2

0.4.9.6-1~bpo12+1

0.4.9.6-1~bpo13+1

0.4.9.6-1

0.4.9.8-1~bpo12+1

0.4.9.8-1~bpo13+1

0.4.9.8-1

Ecosystem specific

{
    "urgency": "end-of-life"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-44597.json"

Debian:12 / tor

Package

Name: tor
Purl: pkg:deb/debian/tor?arch=source&distro=bookworm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.9.8-0+deb12u1

Affected versions

0.*

0.4.7.13-1

0.4.7.16-1

0.4.8.4-2

0.4.8.5-1

0.4.8.6-1

0.4.8.7-1

0.4.8.8-1

0.4.8.9-1~bpo11+1

0.4.8.9-1~bpo12+1

0.4.8.9-1

0.4.8.10-1~bpo11+1

0.4.8.10-1~bpo12+1

0.4.8.10-1

0.4.8.11-1~bpo11+1

0.4.8.11-1~bpo12+1

0.4.8.11-1

0.4.8.12-1~bpo11+1

0.4.8.12-1~bpo12+1

0.4.8.12-1

0.4.8.12-1.1

0.4.8.13-1

0.4.8.13-2~bpo12+1

0.4.8.13-2

0.4.8.14-1~bpo12+1

0.4.8.14-1

0.4.8.16-1

0.4.8.21-1~bpo12+1

0.4.8.21-1~bpo13+1

0.4.8.21-1~bpo13+2

0.4.8.21-1

0.4.8.22-1~bpo12+1

0.4.8.22-1~bpo13+1

0.4.8.22-1

0.4.9.5-1

0.4.9.5-2~bpo12+1

0.4.9.5-2~bpo13+1

0.4.9.5-2

0.4.9.6-0+deb12u1

0.4.9.6-1~bpo12+1

0.4.9.6-1~bpo13+1

0.4.9.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-44597.json"

Debian:13 / tor

Package

Name: tor
Purl: pkg:deb/debian/tor?arch=source&distro=trixie

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.9.8-0+deb13u1

Affected versions

0.*

0.4.8.16-1

0.4.8.21-1~bpo12+1

0.4.8.21-1~bpo13+1

0.4.8.21-1~bpo13+2

0.4.8.21-1

0.4.8.22-1~bpo12+1

0.4.8.22-1~bpo13+1

0.4.8.22-1

0.4.9.5-1

0.4.9.5-2~bpo12+1

0.4.9.5-2~bpo13+1

0.4.9.5-2

0.4.9.6-0+deb13u1

0.4.9.6-1~bpo12+1

0.4.9.6-1~bpo13+1

0.4.9.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-44597.json"

Debian:14 / tor

Package

Name: tor
Purl: pkg:deb/debian/tor?arch=source&distro=forky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.9.8-1

Affected versions

0.*

0.4.8.16-1

0.4.8.21-1~bpo12+1

0.4.8.21-1~bpo13+1

0.4.8.21-1~bpo13+2

0.4.8.21-1

0.4.8.22-1~bpo12+1

0.4.8.22-1~bpo13+1

0.4.8.22-1

0.4.9.5-1

0.4.9.5-2~bpo12+1

0.4.9.5-2~bpo13+1

0.4.9.5-2

0.4.9.6-1~bpo12+1

0.4.9.6-1~bpo13+1

0.4.9.6-1

0.4.9.8-1~bpo12+1

0.4.9.8-1~bpo13+1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-44597.json"