High severity7.5NVD Advisory· Published Jan 4, 2017· Updated May 6, 2026

CVE-2016-8860

Description

Tor before 0.2.8.9 and 0.2.9.x before 0.2.9.4-alpha had internal functions that were entitled to expect that buf_t data had NUL termination, but the implementation of or/buffers.c did not ensure that NUL termination was present, which allows remote attackers to cause a denial of service (client, hidden service, relay, or authority crash) via crafted data.

Affected products

Torproject/Tor5 versions
cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:torproject:tor:*:*:*:*:*:*:*:*range: <=0.2.8.8
- cpe:2.3:a:torproject:tor:0.2.9.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.2.9.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.2.9.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:torproject:tor:0.2.9.3:alpha:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/torproject/tor/commit/3cea86eb2fbb65949673eb4ba8ebb695c87a57cenvdPatchVendor Advisory
openwall.com/lists/oss-security/2016/10/19/11nvdThird Party Advisory
blog.torproject.org/blog/tor-0289-released-important-fixesnvdRelease NotesVendor Advisory
trac.torproject.org/projects/tor/ticket/20384nvdVendor Advisory
www.debian.org/security/2016/dsa-3694nvd
www.securityfocus.com/bid/95116nvd
security.gentoo.org/glsa/201612-45nvd

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.002
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000