Tor Browser 15.0.10 Released to Address Critical Identity Leakage

The digital landscape of 2026 has become a high-stakes battlefield where the line between private communication and state-level surveillance is thinner than ever. In this environment, the release of Tor Browser 15.0.10 on April 21, 2026, represents more than just a routine software patch; it is a critical defensive maneuver in the ongoing struggle for online anonymity. As the primary gateway to the Onion Router (Tor) network for millions of journalists, activists, and privacy-conscious citizens, the Tor Browser must maintain an impeccable security posture. The 15.0.10 update directly addresses a sophisticated identity leakage vulnerability and integrates the latest cryptographic standards to ensure the “Onion” remains unpeeled by adversarial actors.

This release arrives at a time when censorship techniques have evolved to include advanced protocol fingerprinting and stateful packet inspection. By rebasing the stable channel on Firefox 140.10.0esr and incorporating essential backports from the bleeding-edge Firefox 150, the Tor Project has reinforced the browser’s core. Furthermore, the inclusion of OpenSSL 3.5.6 provides the cryptographic backbone necessary to thwart modern decryption attempts. For users residing in regions where the Tor network is actively suppressed, such as Russia and Iran, the update to the Snowflake STUN server infrastructure is perhaps the most significant functional improvement, ensuring that the bridges to a free internet remain open.

Closing the Persistence Gap: The New Identity Bug (tor-browser#44288)

The “New Identity” feature is arguably the most vital tool in the Tor Browser’s arsenal. When a user clicks this button, the browser is supposed to perform a digital “factory reset” for the current session. This involves clearing the browser cache, deleting cookies, closing all open tabs, and, crucially, ensuring that the next session starts from a completely clean state with a fresh Tor circuit. However, a significant vulnerability identified as tor-browser#44288 threatened this isolation. In previous iterations, the “New Identity” function failed to effectively block the loading of custom home pages upon the subsequent restart.

This failure created a dangerous persistence vector. If a user had configured a specific, potentially unique homepage, or if a malicious site had successfully altered the homepage preference through a secondary exploit, that page would load immediately after the “New Identity” trigger. From a technical perspective, this could allow a web server to correlate “Identity A” with “Identity B” by observing a consistent IP-to-URL request pattern or by utilizing persistent client-side data that the homepage could access before the new session’s protections were fully initialized. By ensuring that the “New Identity” process now strictly overrides custom homepage parameters in favor of the default, secure Tor start page, Tor Browser 15.0.10 closes a critical loophole that could have been exploited for cross-session tracking or even IP exposure.

Technical Implications of Identity Leakage

Identity leakage in the context of an anonymity tool is not merely a bug; it is a catastrophic failure of the primary mission. In the case of bug #44288, the risk was primarily focused on state persistence. Modern tracking scripts are designed to look for “leaky” transitions. If a browser clears its cookies but fails to clear its memory-resident preferences or fails to prevent a specific URL from loading at the precise moment of transition, a “bridge” is formed between the old and new identities. The fix implemented in Tor Browser 15.0.10 ensures that the nsICookieService and nsICacheStorageService resets are synchronized with the preference-loading logic, preventing any user-defined or site-defined URLs from executing during the identity swap.

Strengthening the Core: Firefox 140.10.0esr and OpenSSL 3.5.6

The stability of the Tor Browser is inextricably linked to its upstream parent, the Firefox Extended Support Release (ESR). Tor Browser 15.0.10 completes a vital rebase onto Firefox 140.10.0esr. This move is significant because the ESR branch provides a stable platform that receives critical security updates without the volatility of frequent feature changes. For the Tor Project, this allows for a deeper audit of the underlying code to ensure that new Firefox features do not inadvertently leak user data or create new fingerprinting surfaces.

In addition to the ESR rebase, this release backports several high-priority security fixes from Firefox 150. This “security-first” approach ensures that Tor users benefit from the very latest patches discovered in the rapid-release cycle of Firefox, even while remaining on the more stable ESR foundation. The integration of OpenSSL 3.5.6 is equally paramount. This version of the library addresses several vulnerabilities that emerged in early 2026, including:

• CVE-2026-31790: A fix for incorrect failure handling in RSA KEM (Key Encapsulation Mechanism) RSASVE encapsulation, which could have led to potential cryptographic weakness during key exchange.
• CVE-2026-28387: Resolution of a potential use-after-free vulnerability in DANE (DNS-based Authentication of Named Entities) client code.
• CVE-2026-28388: A fix for a NULL pointer dereference when processing a delta Certificate Revocation List (CRL).
• CVE-2026-31789: Mitigation of a heap buffer overflow in hexadecimal conversion routines.

By keeping these low-level libraries updated, Tor Browser 15.0.10 maintains the integrity of the encrypted “tunnels” through which user data flows, defending against both active and passive network attacks.

Bypassing 2026 Censorship: Snowflake and the STUN Refresh

As censorship regimes become more adept at identifying and blocking Tor relays, “bridges” have become the lifeline of the network. Snowflake is a highly effective pluggable transport that turns ordinary web browsers into temporary proxies. However, Snowflake relies on STUN (Session Traversal Utilities for NAT) servers to facilitate the connection between the censored user and the volunteer proxy. In 2026, several major censors began implementing advanced DTLS (Datagram Transport Layer Security) fingerprinting to identify and drop Snowflake traffic.

The Tor Browser 15.0.10 update includes the “2026 Edition” of default bridge lines and a refreshed list of Snowflake STUN servers. This is a vital tactical update. By rotating the STUN servers and updating the bridge configurations, the Tor Project makes it significantly harder for censors to use IP-based blacklisting to decapitate the Snowflake network. Furthermore, the updated Snowflake client integrated into this release includes enhanced DTLS randomization and mimicry features, specifically designed to bypass the filtering mechanisms currently deployed in high-censorship regions. This ensures that users can connect to the Tor network even when direct access to known relays is completely severed.

Snowflake Performance in 2026

The Snowflake architecture has seen a massive surge in usage due to ongoing internet shutdowns and regional conflicts. Data from early 2026 showed a spike in Snowflake proxies being blocked via fingerprinting. The response in Tor Browser 15.0.10 addresses this by:

1. Increasing the diversity of STUN server providers to avoid single points of failure.
2. Optimizing the WebRTC handshake to reduce the “latency signature” that some automated firewalls use to identify bridge traffic.
3. Ensuring that the Android version of the browser, which often serves as a primary tool in mobile-first restricted regions, has full parity with these bridge updates.

Mobile Parity and Android GeckoView Updates

For a significant portion of the global population, the internet is accessed primarily through mobile devices. This makes the Android version of the Tor Browser a high-priority target for developers. Tor Browser 15.0.10 for Android includes an update to GeckoView 140.10.0esr, matching the security standards of the desktop version. GeckoView is the engine that powers the browser on mobile, and ensuring it stays in sync with the desktop ESR version is crucial for maintaining a uniform security profile across all platforms.

The Android update also addresses specific mobile vulnerabilities that could lead to background data leaks. In previous versions, certain Android system processes could occasionally bypass the Tor proxy during “intent” handling (e.g., when opening a link from another app). The 15.0.10 release reinforces the “proxy-everything” rule, ensuring that even on the complex and often “chatty” Android OS, no data leaves the device without first being encrypted and routed through the Tor network. This is complemented by the Go 1.25.9 update in the build system, which enhances the stability of the underlying Orbot-based routing modules.

Conclusion: The Necessity of the 15.0.10 Upgrade

In the realm of digital privacy, there is no such thing as a “minor” security update. The release of Tor Browser 15.0.10 is a testament to the Tor Project’s commitment to proactive defense. By resolving the tor-browser#44288 identity leakage bug, the developers have protected the very core of the anonymity experience. When combined with the massive technical debt cleared by the Firefox 140.10.0esr rebase and the critical OpenSSL 3.5.6 patches, this version stands as the most secure iteration of the browser to date.

Users are strongly encouraged to update their installations immediately. Whether you are using Windows, macOS, Linux, or Android, the risks associated with cross-session tracking and bridge blocking are too great to ignore. As we move further into 2026, the tools we use to defend our privacy must remain sharp. Tor Browser 15.0.10 provides that edge, ensuring that the promise of a private, uncensored internet remains a reality for everyone, everywhere.

Key Takeaways for Users:

• Immediate Action: Update to 15.0.10 via the internal browser updater or by downloading from the official Tor Project website.
• Anonymity Restored: The “New Identity” feature is now safe to use with custom homepages without fear of session linkage.
• Bridge Readiness: Users in restricted zones should switch to the updated Snowflake bridges to bypass the latest DTLS-based filtering.
• Encryption Integrity: The move to OpenSSL 3.5.6 provides protection against the latest known cryptographic exploits of 2026.