CVE-2026-44602
Low
Published: 07 May 2026
Published
07 May 2026
Modified
08 May 2026
KEV Added
—
Patch
—
CVSS Score
3.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score
0.0006
17.1th percentile
Risk Priority
7
60% EPSS · 20% KEV · 20% CVSS
Summary
CVE-2026-44602 is a low-severity NULL Pointer Dereference (CWE-476) vulnerability in Torproject Tor. Its CVSS base score is 3.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
What attackers do: exploitation maps to Application or System Exploitation (T1499.004).
Threat & Defense Details
MITRE ATT&CK Enterprise TechniquesAI
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?
NULL pointer dereference in Tor protocol handling directly enables remote crash/DoS via crafted CERT cells, matching application exploitation for endpoint denial of service.
Confidence: HIGH · MITRE ATT&CK Enterprise v18.1
NVD Description
Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.
Deeper analysisAI
Automated synthesis unavailable for this CVE.
Details
- CWE(s)
Affected Products
torproject
tor
≤ 0.4.9.7
CVEs Like This One
CVE-2026-44599Same product: Torproject Tor
CVE-2026-44597Same product: Torproject Tor
CVE-2026-44600Same product: Torproject Tor
CVE-2026-44603Same product: Torproject Tor
CVE-2026-44601Same product: Torproject Tor
CVE-2026-31256Shared CWE-476
CVE-2026-7376Shared CWE-476
CVE-2025-69624Shared CWE-476
CVE-2026-31638Shared CWE-476
CVE-2026-20875Shared CWE-476