Every CVE whose affected-product data names Torproject Tor, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (41)
CVE-2021-34548 — CVSS 7.5 (high): An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-003. An attacker can forge RELAY_END or RELAY_RESOLVED to bypass the intended…
CVE-2021-34550 — CVSS 7.5 (high): An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-006. The v3 onion service descriptor parsing allows out-of-bounds memory…
CVE-2021-38385 — CVSS 7.5 (high): Tor before 0.3.5.16, 0.4.5.10, and 0.4.6.7 mishandles the relationship between batch-signature verification and single-signature…
CVE-2018-0491 — CVSS 7.5 (high): A use-after-free issue was discovered in Tor 0.3.2.x before 0.3.2.10. It allows remote attackers to cause a denial of service (relay crash)…
CVE-2019-8955 — CVSS 7.5 (high): In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against…
CVE-2020-10592 — CVSS 7.5 (high): Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (CPU…
CVE-2020-10593 — CVSS 7.5 (high): Tor before 0.3.5.10, 0.4.x before 0.4.1.9, and 0.4.2.x before 0.4.2.7 allows remote attackers to cause a Denial of Service (memory leak)…
CVE-2020-15572 — CVSS 7.5 (high): Tor before 0.4.3.6 has an out-of-bounds memory access that allows a remote denial-of-service (crash) attack against Tor instances built to…
CVE-2021-28089 — CVSS 7.5 (high): Tor before 0.4.5.7 allows a remote participant in the Tor directory protocol to exhaust CPU resources on a target, aka TROVE-2021-001.
CVE-2021-34549 — CVSS 7.5 (high): An issue was discovered in Tor before 0.4.6.5, aka TROVE-2021-005. Hashing is mishandled for certain retrieval of circuit data…
CVE-2015-2688 — CVSS 7.5 (high): buf_pullup in Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle unexpected arrival times of buffers with invalid…
CVE-2015-2689 — CVSS 7.5 (high): Tor before 0.2.4.26 and 0.2.5.x before 0.2.5.11 does not properly handle pending-connection resolve states during periods of high DNS load…
CVE-2015-2928 — CVSS 7.5 (high): The Hidden Service (HS) server implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote…
CVE-2015-2929 — CVSS 7.5 (high): The Hidden Service (HS) client implementation in Tor before 0.2.4.27, 0.2.5.x before 0.2.5.12, and 0.2.6.x before 0.2.6.7 allows remote…
CVE-2016-1254 — CVSS 7.5 (high): Tor before 0.2.8.12 might allow remote attackers to cause a denial of service (client crash) via a crafted hidden service descriptor.
CVE-2016-8860 — CVSS 7.5 (high): Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data had NUL…
CVE-2017-0375 — CVSS 7.5 (high): The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the…
CVE-2017-0376 — CVSS 7.5 (high): The hidden-service feature in Tor before 0.3.0.8 allows a denial of service (assertion failure and daemon exit) in the…
CVE-2017-0377 — CVSS 7.5 (high): Tor 0.3.x before 0.3.0.9 has a guard-selection algorithm that only considers the exit relay (not the exit relay's family), which might…
CVE-2018-0490 — CVSS 7.5 (high): An issue was discovered in Tor before 0.2.9.15, 0.3.1.x before 0.3.1.10, and 0.3.2.x before 0.3.2.10. The directory-authority protocol-list…
CVE-2017-16541 — CVSS 6.5 (medium): Tor Browser before 7.0.9 on macOS and Linux allows remote attackers to bypass the intended anonymity feature and discover a client IP…
CVE-2023-23589 — CVSS 6.5 (medium): The SafeSocks option in Tor before 0.4.7.13 has a logic error in which the unsafe SOCKS4 protocol can be used but not the safe SOCKS4a…
CVE-2017-0380 — CVSS 5.9 (medium): The rend_service_intro_established function in or/rendservice.c in Tor before 0.2.8.15, 0.2.9.x before 0.2.9.12, 0.3.0.x before 0.3.0.11…
CVE-2014-5117 — CVSS 5.8 (medium): Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit after an inbound RELAY_EARLY cell is received by a client, which…
CVE-2021-46702 — CVSS 5.5 (medium): Tor Browser 9.0.7 on Windows 10 build 10586 is vulnerable to information disclosure. This could allow local attackers to bypass the…
CVE-2020-8516 — CVSS 5.3 (medium): The daemon in Tor through 0.4.1.8 and 0.4.2.x through 0.4.2.6 does not verify that a rendezvous node is known before attempting to connect…
CVE-2021-28090 — CVSS 5.3 (medium): Tor before 0.4.5.7 allows a remote attacker to cause Tor directory authorities to exit with an assertion failure, aka TROVE-2021-002.
CVE-2012-2249 — CVSS 5.0 (medium): Tor before 0.2.3.23-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a renegotiation attempt…
CVE-2012-2250 — CVSS 5.0 (medium): Tor before 0.2.3.24-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) by performing link protocol…
CVE-2012-4419 — CVSS 5.0 (medium): The compare_tor_addr_to_addr_policy function in or/policies.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.21-rc, allows remote…
CVE-2012-4922 — CVSS 5.0 (medium): The tor_timegm function in common/util.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.22-rc, does not properly validate time values…
CVE-2012-5573 — CVSS 5.0 (medium): The connection_edge_process_relay_cell function in or/relay.c in Tor before 0.2.3.25 maintains circuits even if an unexpected SENDME cell…
CVE-2013-7295 — CVSS 4.0 (medium): Tor before 0.2.4.20, when OpenSSL 1.x is used in conjunction with a certain HardwareAccel setting on Intel Sandy Bridge and Ivy Bridge…
CVE-2026-44597 — CVSS 3.7 (low): Tor before 0.4.9.7 has an out-of-bounds read when an END, a TRUNCATE, or a TRUNCATED cell lacks a reason in its payload, aka TROVE-2026-011.
CVE-2026-44600 — CVSS 3.7 (low): Tor before 0.4.9.7 mishandles accounting of the conflux out-of-order queue during the clearing of a queue, aka TROVE-2026-010.
CVE-2026-44601 — CVSS 3.7 (low): Tor before 0.4.9.7, when circuit queue memory pressure exists, can experience a client crash because of a double close of a circuit, aka…
CVE-2026-44602 — CVSS 3.7 (low): Tor before 0.4.9.7 has a NULL pointer dereference when a CERT cell is received out of order, aka TROVE-2026-006.
CVE-2026-44603 — CVSS 3.7 (low): Tor before 0.4.9.7 has an out-of-bounds read by one byte via a malformed BEGIN cell, aka TROVE-2026-007.