Cyber Resilience

CVE-2026-44602

LowUpdated

Published: 07 May 2026

Published
07 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0033 24.9th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-44602 is a low-severity NULL Pointer Dereference (CWE-476) vulnerability in Torproject Tor. Its CVSS base score is 3.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

NULL pointer dereference in Tor protocol handling directly enables remote crash/DoS via crafted CERT cells, matching application exploitation for endpoint denial of service.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44597Same product: Torproject Tor
CVE-2021-34549Same product: Torproject Tor
CVE-2026-44601Same product: Torproject Tor
CVE-2026-44600Same product: Torproject Tor
CVE-2026-44599Same product: Torproject Tor
CVE-2021-34550Same product: Torproject Tor
CVE-2021-38385Same product: Torproject Tor
CVE-2021-34548Same product: Torproject Tor
CVE-2026-44603Same product: Torproject Tor
CVE-2022-33903Same product: Torproject Tor

Affected Assets

torproject
tor
≤ 0.4.9.7

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References