Cyber Resilience

CVE-2026-44599

LowUpdated

Published: 07 May 2026

Published
07 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0029 20.5th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-44599 is a low-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Torproject Tor. Its CVSS base score is 3.7 (Low).

Operationally, ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Tor before 0.4.9.7 can attempt or accept BEGIN_DIR via conflux legs, aka TROVE-2026-008.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44601Same product: Torproject Tor
CVE-2026-44602Same product: Torproject Tor
CVE-2022-33903Same product: Torproject Tor
CVE-2021-34550Same product: Torproject Tor
CVE-2026-44600Same product: Torproject Tor
CVE-2021-34548Same product: Torproject Tor
CVE-2021-38385Same product: Torproject Tor
CVE-2026-44603Same product: Torproject Tor
CVE-2021-34549Same product: Torproject Tor
CVE-2026-44597Same product: Torproject Tor

Affected Assets

torproject
tor
≤ 0.4.9.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-669

Enforces proper authorization rules for any resource or data transfer between different spheres.

addresses: CWE-669

Accountability, documentation, and protection requirements ensure correct transfer of media resources between spheres.

addresses: CWE-669

Reduces incorrect transfers between spheres by establishing clear, separate domains for different sensitivities or functions.

addresses: CWE-669

It governs all resource transfers between spheres, preventing incorrect or unauthorized movement of data or capabilities across domain interfaces.

addresses: CWE-669

Addresses incorrect transfer of resources to an uncontrolled sphere by requiring approved destruction or sanitization methods.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 9 (1 rule)
  • V-271462 OL 9 must not have a File Transfer Protocol (FTP) server package installed. via CWE-669
RHEL 7 (1 rule)
  • V-204442 The Red Hat Enterprise Linux operating system must not have the rsh-server package installed. via CWE-669

References