CVE-2017-8823
HIGHTor < 0.2.5.16, 0.2.6-0.2.8 < 0.2.8.17, 0.2.9 < 0.2.9.14, 0.3.0 < 0.3.0.13, 0.3.1 < 0.3.1.9 - Use-After-Free
Title source: llmDescription
In Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9, there is a use-after-free in onion service v2 during intro-point expiration because the expiring list is mismanaged in certain error cases, aka TROVE-2017-013.
References (4)
Core 4
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugs.torproject.org/24313
Vendor Advisory x_refsource_confirm
https://blog.torproject.org/new-stable-tor-releases-security-fixes-0319-03013-02914-02817-02516
Vendor Advisory x_refsource_confirm
https://bugs.torproject.org/24430
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4054
Scores
CVSS v3
8.1
EPSS
0.0160
EPSS Percentile
72.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-416
Status
published
Products (4)
debian/debian_linux
8.0
debian/debian_linux
9.0
n/a/Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.13, and 0.3.1 before 0.3.1.9
Tor before 0.2.5.16, 0.2.6 through 0.2.8 before 0.2.8.17, 0.2.9 before 0.2.9.14, 0.3.0 before 0.3.0.
tor_project/tor
< 0.2.5.16
Published
Dec 03, 2017
Tracked Since
Feb 18, 2026