threat
engine
.sh
Back
·
··:··
Home
/
Product
/
tor
Product
tor
104 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2026-44603
< 0.4.9.7
Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.
3.7
LOW
CVE-2026-44602
< 0.4.9.7
Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.
3.7
LOW
CVE-2026-44601
< 0.4.9.7
Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circui
3.7
LOW
CVE-2026-44600
< 0.4.9.7
Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010.
3.7
LOW
CVE-2026-44599
< 0.4.9.7
Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008.
3.7
LOW
CVE-2026-44597
< 0.4.9.7
Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE
3.7
LOW
CVE-2023-23589
< 0.4.7.13
The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOC
6.5
MEDIUM
CVE-2022-33903
>= 0.4.7.1 and < 0.4.7.8
Tor 0.4.7.x before 0.4.7.8 allows a denial of service via the wedging of RTT estimation.
7.5
HIGH
CVE-2021-46702
all versions
Tor Browser 9.0.7 on Windows 10 build 10586 is vulnerable to information disclosure. This could allow local attackers to bypass th
5.5
MEDIUM
CVE-2021-38385
< 0.3.5.16
Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-signature v
7.5
HIGH
CVE-2021-34550
< 0.3.5.15
An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-006. The v3 onion service descriptor parsing allows out-of-bounds me
7.5
HIGH
CVE-2021-34549
< 0.3.5.15
An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-005. Hashing is mishandled for certain retrieval of circuit data. Co
7.5
HIGH
CVE-2021-34548
< 0.3.5.15
An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-003. An attacker can forge RELAY_END or RELAY_RESOLVED to bypass the
7.5
HIGH
CVE-2021-28090
< 0.3.5.14
Tor before 0.4.5.7 allows a remote attacker to cause Tor directory authorities to exit with an assertion failure, aka TROVE-2021-0
5.3
MEDIUM
CVE-2021-28089
< 0.3.5.14
Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target, aka TROVE-2021-
7.5
HIGH
CVE-2020-15572
< 0.3.5.11
Tor before 0.4.3.6 has an out-of-bounds memory access that allows a remote denial-of-service (crash) attack against Tor instances
7.5
HIGH
CVE-2020-10593
>= 0.3.5 and < 0.3.5.10
Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (memory
7.5
HIGH
CVE-2020-10592
>= 0.3.5 and < 0.3.5.10
Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (CPU co
7.5
HIGH
CVE-2020-8516
<= 0.4.1.8
The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to
5.3
MEDIUM
CVE-2015-2929
< 0.2.4.27
The Hidden Service (HS) client implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows r
7.5
HIGH
CVE-2015-2928
< 0.2.4.27
The Hidden Service (HS) server implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows r
7.5
HIGH
CVE-2015-2689
< 0.2.4.26
Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle pending-connection resolve states during periods of high
7.5
HIGH
CVE-2015-2688
< 0.2.4.26
buf_pullup in Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle unexpected arrival times of buffers with in
7.5
HIGH
CVE-2019-8955
< 0.3.3.12
In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service
7.5
HIGH
CVE-2016-9079
all versions
A use-after-free vulnerability in SVG Animation has been discovered. An exploit built on this vulnerability has been discovered in
7.5
HIGH
CVE-2018-0491
>= 0.3.2.0 and < 0.3.2.10
A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. It allows remote attackers to cause a denial of service (rel
7.5
HIGH
CVE-2018-0490
<= 0.2.9.14
An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before 0.3.1.10, and 0.3.2.x before 0.3.2.10. The directory-authority prot
7.5
HIGH
CVE-2016-1254
< 0.2.8.12
Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden service descript
7.5
HIGH
CVE-2017-8823
< 0.2.5.16
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.
8.1
HIGH
CVE-2017-8822
< 0.2.5.16
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.
3.7
LOW
CVE-2017-8821
< 0.2.5.16
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.
7.5
HIGH
CVE-2017-8820
< 0.2.5.16
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.
7.5
HIGH
CVE-2017-8819
< 0.2.5.16
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.
7.5
HIGH
CVE-2017-16541
< 7.0.9
Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client
6.5
MEDIUM
CVE-2017-0380
<= 0.2.8.14
The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.
5.9
MEDIUM
CVE-2017-11565
all versions
debian/tor.init in the Debian tor_0.2.9.11-1~deb9u1 package for Tor was designed to execute aa-exec from the standard system pathn
7.5
HIGH
CVE-2017-0377
all versions
Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family), which m
7.5
HIGH
CVE-2017-0376
< 0.3.0.8
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the connection_
7.5
HIGH
CVE-2017-0375
< 0.3.0.8
The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the relay_send_
7.5
HIGH
CVE-2016-8860
<= 0.2.8.8
Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data had NUL te
7.5
HIGH
CVE-2014-5117
<= 0.2.4.22
Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit after an inbound RELAY_EARLY cell is received by a client,
CVE-2012-2250
<= 0.2.3.23
Tor before 0.2.3.24-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) by performing link
CVE-2012-2249
<= 0.2.3.22
Tor before 0.2.3.23-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a renegotiatio
CVE-2013-7295
<= 0.2.4.19
Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Br
CVE-2012-5573
<= 0.2.3.24
The connection_edge_process_relay_cell function in or/relay.c in Tor before 0.2.3.25 maintains circuits even if an unexpected SEND
CVE-2012-4922
<= 0.2.2.38
The tor_timegm function in common/util.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.22-rc, does not properly validate time v
CVE-2012-4419
<= 0.2.2.38
The compare_tor_addr_to_addr_policy function in or/policies.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.21-rc, allows remot
CVE-2012-3519
<= 0.2.2.37
routerlist.c in Tor before 0.2.2.38 uses a different amount of time for relay-list iteration depending on which relay is chosen, w
CVE-2012-3518
<= 0.2.2.37
The networkstatus_parse_vote_from_string function in routerparse.c in Tor before 0.2.2.38 does not properly handle an invalid flav
CVE-2012-3517
<= 0.2.2.37
Use-after-free vulnerability in dns.c in Tor before 0.2.2.38 might allow remote attackers to cause a denial of service (daemon cra
CVE-2011-4897
<= 0.2.2.24
Tor before 0.2.2.25-alpha, when configured as a relay without the Nickname configuration option, uses the local hostname as the Ni
CVE-2011-4896
<= 0.2.2.23
Tor before 0.2.2.24-alpha continues to use a reachable bridge that was previously configured but is not currently configured, whic
CVE-2011-4895
<= 0.2.2.33
Tor before 0.2.2.34, when configured as a bridge, sets up circuits through a process different from the process used by a client,
CVE-2011-4894
<= 0.2.2.33
Tor before 0.2.2.34, when configured as a bridge, uses direct DirPort access instead of a Tor TLS connection for a directory fetch
CVE-2011-2778
<= 0.2.2.34
Multiple heap-based buffer overflows in Tor before 0.2.2.35 allow remote attackers to cause a denial of service (memory corruption
CVE-2011-2769
<= 0.2.2.33
Tor before 0.2.2.34, when configured as a bridge, accepts the CREATE and CREATE_FAST values in the Command field of a cell within
CVE-2011-2768
<= 0.2.2.33
Tor before 0.2.2.34, when configured as a client or bridge, sends a TLS certificate chain as part of an outgoing OR connection, wh
CVE-2011-1924
<= 0.2.1.29
Buffer overflow in the policy_summarize function in or/policies.c in Tor before 0.2.1.30 allows remote attackers to cause a denial
CVE-2011-0493
<= 0.2.1.28
Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha might allow remote attackers to cause a denial of service (assertion failure
CVE-2011-0492
<= 0.2.1.28
Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha allows remote attackers to cause a denial of service (assertion failure and
CVE-2011-0491
<= 0.2.1.28
The tor_realloc function in Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not validate a certain size value during me
CVE-2011-0490
<= 0.2.1.28
Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha makes calls to Libevent within Libevent log handlers, which might allow remo
CVE-2011-0427
<= 0.2.1.28
Heap-based buffer overflow in Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha allows remote attackers to cause a denial of s
CVE-2011-0016
<= 0.2.1.28
Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not properly manage key data in memory, which might allow local users t
CVE-2011-0015
<= 0.2.1.28
Tor before 0.2.1.29 and 0.2.2.x before 0.2.2.21-alpha does not properly check the amount of compression in zlib-compressed data, w
CVE-2010-1676
<= 0.2.1.1.27
Heap-based buffer overflow in Tor before 0.2.1.28 and 0.2.2.x before 0.2.2.20-alpha allows remote attackers to cause a denial of s
CVE-2010-0385
all versions
Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, when functioning as a bridge directory authority, allows remote attackers t
CVE-2010-0384
all versions
Tor 0.2.2.x before 0.2.2.7-alpha, when functioning as a directory mirror, does not prevent logging of the client IP address upon d
CVE-2010-0383
all versions
Tor before 0.2.1.22, and 0.2.2.x before 0.2.2.7-alpha, uses deprecated identity keys for certain directory authorities, which make
CVE-2009-2426
all versions
The connection_edge_process_relay_cell_not_open function in src/or/relay.c in Tor 0.2.x before 0.2.0.35 and 0.1.x before 0.1.2.8-b
CVE-2009-2425
all versions
Tor before 0.2.0.35 allows remote attackers to cause a denial of service (application crash) via a malformed router descriptor.
CVE-2009-0939
<= 0.2.0.33
Tor before 0.2.0.34 treats incomplete IPv4 addresses as valid, which has unknown impact and attack vectors related to "Spec confor
CVE-2009-0938
<= 0.2.0.33
Unspecified vulnerability in Tor before 0.2.0.34 allows directory mirrors to cause a denial of service (exit node crash) via "malf
CVE-2009-0937
<= 0.2.0.33
Unspecified vulnerability in Tor before 0.2.0.34 allows directory mirrors to cause a denial of service via unknown vectors.
CVE-2009-0936
<= 0.2.0.33
Unspecified vulnerability in Tor before 0.2.0.34 allows attackers to cause a denial of service (infinite loop) via "corrupt votes.
CVE-2009-0654
<= 0.2.0.34
Tor 0.2.0.28, and probably 0.2.0.34 and earlier, allows remote attackers, with control of an entry router and an exit router, to c
CVE-2009-0414
all versions
Unspecified vulnerability in Tor before 0.2.0.33 has unspecified impact and remote attack vectors that trigger heap corruption.
CVE-2008-5398
<= 0.1.2.31
Tor before 0.2.0.32 does not properly process the ClientDNSRejectInternalAddresses configuration option in situations where an exi
CVE-2008-5397
<= 0.1.2.31
Tor before 0.2.0.32 does not properly process the (1) User and (2) Group configuration options, which might allow local users to g
CVE-2007-4174
<= 0.1.2.15
Tor before 0.1.2.16, when ControlPort is enabled, does not properly restrict commands to localhost port 9051, which allows remote
CVE-2007-4099
all versions
Tor before 0.1.2.15 can select a guard node beyond the first listed never-before-connected-to guard node, which allows remote atta
CVE-2007-4098
all versions
Tor before 0.1.2.15 does not properly distinguish "streamids from different exits," which might allow remote attackers with contro
CVE-2007-4097
all versions
Tor before 0.1.2.15 sends "destroy cells" containing the reason for tearing down a circuit, which allows remote attackers to obtai
CVE-2007-4096
all versions
Buffer overflow in Tor before 0.1.2.15, when using BSD natd support, allows remote attackers to cause a denial of service via unsp
CVE-2007-3165
all versions
Tor before 0.1.2.14 can construct circuits in which an entry guard is in the same family as the exit node, which might compromise
CVE-2007-1103
<= 0.1.1.26
Tor does not verify a node's uptime and bandwidth advertisements, which allows remote attackers who operate a low resource node to
CVE-2006-6893
all versions
Tor allows remote attackers to discover the IP address of a hidden service by accessing this service at a high rate, thereby chang
CVE-2006-4508
all versions
Unspecified vulnerability in (1) Tor 0.1.0.x before 0.1.0.18 and 0.1.1.x before 0.1.1.23, and (2) ScatterChat before 1.0.2, allows
CVE-2006-3419
all versions
Tor before 0.1.1.20 uses OpenSSL pseudo-random bytes (RAND_pseudo_bytes) instead of cryptographically strong RAND_bytes, and seeds
CVE-2006-3418
all versions
Tor before 0.1.1.20 does not validate that a server descriptor's fingerprint line matches its identity key, which allows remote at
CVE-2006-3417
all versions
Tor client before 0.1.1.20 prefers entry points based on is_fast or is_stable flags, which could allow remote attackers to be pref
CVE-2006-3416
all versions
Tor before 0.1.1.20 kills the circuit when it receives an unrecognized relay command, which causes network circuits to be disbande
CVE-2006-3415
all versions
Tor before 0.1.1.20 uses improper logic to validate the "OR" destination, which allows remote attackers to perform a man-in-the-mi
CVE-2006-3414
all versions
Tor before 0.1.1.20 supports server descriptors that contain hostnames instead of IP addresses, which allows remote attackers to a
CVE-2006-3413
all versions
The privoxy configuration file in Tor before 0.1.1.20, when run on Apple OS X, logs all data via the "logfile", which allows attac
CVE-2006-3412
all versions
Tor before 0.1.1.20 does not sufficiently obey certain firewall options, which allows remote attackers to bypass intended access r
CVE-2006-3411
all versions
TLS handshakes in Tor before 0.1.1.20 generate public-private keys based on TLS context rather than the connection, which makes it
CVE-2006-3410
all versions
Tor before 0.1.1.20 creates "internal circuits" primarily consisting of nodes with "useful exit nodes," which allows remote attack
CVE-2006-3409
all versions
Integer overflow in Tor before 0.1.1.20 allows remote attackers to execute arbitrary code via crafted large inputs, which result i
CVE-2006-3408
all versions
Unspecified vulnerability in the directory server (dirserver) in Tor before 0.1.1.20 allows remote attackers to cause an unspecifi
CVE-2006-3407
all versions
Tor before 0.1.1.20 allows remote attackers to spoof log entries or possibly execute shell code via strings with non-printable cha
CVE-2006-0414
all versions
Tor before 0.1.1.20 allows remote attackers to identify hidden services via a malicious Tor server that attempts a large number of
CVE-2005-2643
all versions
Tor 0.1.0.13 and earlier, and experimental versions 0.1.1.4-alpha and earlier, does not reject certain weak keys when using epheme
CVE-2005-2050
all versions
Unknown vulnerability in Tor before 0.1.0.10 allows remote attackers to read arbitrary memory and possibly key information from th
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin