Cyber Resilience

CVE-2026-44597

LowUpdated

Published: 07 May 2026

Published
07 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0045 36.1th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-44597 is a low-severity Incorrect Provision of Specified Functionality (CWE-684) vulnerability in Torproject Tor. Its CVSS base score is 3.7 (Low).

Operationally, ranked at the 36.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44601Same product: Torproject Tor
CVE-2026-44602Same product: Torproject Tor
CVE-2022-33903Same product: Torproject Tor
CVE-2021-34550Same product: Torproject Tor
CVE-2026-44599Same product: Torproject Tor
CVE-2026-44600Same product: Torproject Tor
CVE-2021-34548Same product: Torproject Tor
CVE-2021-38385Same product: Torproject Tor
CVE-2026-44603Same product: Torproject Tor
CVE-2021-34549Same product: Torproject Tor

Affected Assets

torproject
tor
≤ 0.4.9.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-684

Periodic checks confirm that specified security and privacy functions are actually provided and operating.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

RHEL 9 (1 rule)
  • V-258078 RHEL 9 must use a Linux Security Module configured to enforce limits on system services. via CWE-684

References