Back

Fedora 43 and 44 Tor Updates Address Denial of Service Vulnerabilities

Severity: Medium (Score: 57.9)

Sources: Linuxsecurity

Published: 2026-05-26 · Updated: 2026-05-26

Keywords: update, latest, upstream, release, fedora, denial, service

Severity indicators: vulnerabilities

Summary

On May 15, 2026, Fedora released updates for Tor in versions 43 and 44 to address multiple denial of service vulnerabilities. These updates fix five CVEs: CVE-2026-44597, CVE-2026-44599, CVE-2026-44600, CVE-2026-44601, CVE-2026-44602, and CVE-2026-44603, all published on May 7, 2026. The vulnerabilities could allow attackers to exploit Tor's handling of CERT and BEGIN cells, potentially leading to client crashes or service disruptions. Affected systems include all Fedora installations running the Tor service. Users are advised to update their systems using the 'dnf' update program to mitigate these risks. The updates are critical for maintaining the integrity and availability of the Tor network. Key Points: • Fedora released critical updates for Tor on May 15, 2026, addressing multiple CVEs. • The vulnerabilities could lead to denial of service attacks, impacting Tor users. • Users are urged to apply updates immediately to secure their systems.

Detailed Analysis

**Impact** Users of Fedora 43 and 44 running Tor are affected by multiple denial of service (DoS) vulnerabilities. The issues could disrupt Tor client operations, impacting privacy-focused users and services relying on Tor for anonymity. No specific sectors, geographies, or data at risk are detailed in the sources. **Technical Details** The vulnerabilities include CVE-2026-44597, CVE-2026-44599, CVE-2026-44600, CVE-2026-44601, CVE-2026-44602, and CVE-2026-44603, all related to denial of service conditions such as out-of-order CERT cells, malformed BEGIN cells, out-of-bounds reads, and client crashes due to circuit handling errors. The attack vector involves sending malformed or manipulated Tor protocol cells to cause client crashes or service disruption. No malware, tools, or IOCs are mentioned. **Recommended Response** Apply the Fedora security updates for Tor version 0.4.9.8-1 immediately using the dnf upgrade commands with advisories FEDORA-2026-0c38968a1b (Fedora 43) and FEDORA-2026-5ce7cc46bb (Fedora 44). Monitor Tor client logs for abnormal circuit closures or malformed cell activity. Harden configurations to limit exposure to untrusted network inputs where possible.

Source articles (2)

  • Fedora 44 Tor Significant Denial of Service Resolution 2026 — Linuxsecurity · 2026-05-26
    Update to latest upstream release release-0-4-8-25-and-0-4-9-8/21559 * Fri May 15 2026 Marcel Hrry - 0.4.9.8-1 - Update to latest upstream release - Fix CVE-2026-44600 (bz#2476455 / bz#2476454) - Fix…
  • Fedora 43 Tor Security Update Resolves Denial Of Service Vulnerabilities — Linuxsecurity · 2026-05-26
    Update to latest upstream release release-0-4-8-25-and-0-4-9-8/21559 * Fri May 15 2026 Marcel Hrry - 0.4.9.8-1 - Update to latest upstream release - Fix CVE-2026-44600 (bz#2476455 / bz#2476454) - Fix…

Timeline

  • 2026-05-07 — CVE-2026-44597 published: CVE-2026-44597 details a denial of service vulnerability due to out-of-bounds read in Tor.
  • 2026-05-07 — CVE-2026-44599 published: CVE-2026-44599 involves low integrity impact via directory message manipulation in Tor.
  • 2026-05-07 — CVE-2026-44600 published: CVE-2026-44600 describes a denial of service vulnerability via malformed CERT cells.
  • 2026-05-07 — CVE-2026-44601 published: CVE-2026-44601 details a client crash due to double close of a circuit in Tor.
  • 2026-05-07 — CVE-2026-44602 published: CVE-2026-44602 outlines a denial of service vulnerability via out-of-order CERT cells.
  • 2026-05-07 — CVE-2026-44603 published: CVE-2026-44603 describes a denial of service vulnerability via malformed BEGIN cells.
  • 2026-05-15 — Fedora updates Tor to fix vulnerabilities: Fedora released updates for Tor to address multiple denial of service vulnerabilities, urging users to upgrade.

CVEs

  • CVE-2026-44597
  • CVE-2026-44599
  • CVE-2026-44600
  • CVE-2026-44601
  • CVE-2026-44602
  • CVE-2026-44603

Related entities

  • DDoS (Attack Type)
  • Denial of Service (Attack Type)
  • Cwe-125 - Out-of-bounds Read (Cwe)
  • CWE-22 - Path Traversal (Cwe)
  • T1499 - Endpoint Denial of Service (Mitre Attack)
  • Fedora (Company)
  • Tor (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed