CVE-2019-8955

high-risk
Published 2019-02-21

In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler.

Do I need to act?

~
1.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (18)

Tor
Tor
Tor
Tor
Tor
Tor
Tor
Tor
Tor
Tor
Tor
Tor
Tor
Tor
Tor
Tor
Tor
Tor

Affected Vendors

Torproject

References (8)

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00013.html
Third Party Advisory http://www.securityfocus.com/bid/107136
Vendor Advisory https://blog.torproject.org/new-releases-tor-0402-alpha-0358-03411-and-03312
Vendor Advisory https://trac.torproject.org/projects/tor/ticket/29168
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00013.html
Third Party Advisory http://www.securityfocus.com/bid/107136
Vendor Advisory https://blog.torproject.org/new-releases-tor-0402-alpha-0358-03411-and-03312
Vendor Advisory https://trac.torproject.org/projects/tor/ticket/29168
50
/ 100
high-risk
Severity 26/34 · High
Exploitability 5/34 · Minimal
Exposure 19/34 · Moderate