Tor Browser 15.0.11 Update Patches Critical Identity-Linking Vulnerability

The global privacy community is currently on high alert following the release of the Tor Browser 15.0.11 update on April 28, 2026. This emergency patch addresses a critical architectural flaw that has, until now, allowed sophisticated observers to perform cross-origin correlation, effectively stripping away the anonymity of Tor users. For individuals who rely on Tor for high-stakes privacy—journalists, activists, and whistleblowers—this is not a routine update; it is a mandatory restoration of the browser’s core promise: unlinkability.

The Critical Nature of the Tor Browser 15.0.11 update

The primary driver for the Tor Browser 15.0.11 update is the mitigation of CVE-2026-6770, a vulnerability discovered within the browser’s implementation of the IndexedDB API. In traditional browsers, IndexedDB is a standard feature used to store large amounts of structured data on the client side. However, in the context of an anonymity-focused browser like Tor, any deterministic behavior in how this data is handled can become a lethal tracking vector.

This specific vulnerability allowed websites to bypass Tor’s circuit isolation—the mechanism that ensures your traffic to Site A appears to come from a different IP than your traffic to Site B. By observing the specific order of internal UUID (Universally Unique Identifier) mappings within the browser’s storage engine, malicious actors could generate a “shadow” digital footprint that persisted even after a user requested a “New Identity.”

Deconstructing CVE-2026-6770: The IndexedDB UUID Mapping Flaw

To understand the gravity of CVE-2026-6770, one must look at how Firefox (and by extension, the Tor Browser) handles private storage. When a website creates an IndexedDB database, the browser assigns it an internal UUID. These UUIDs are intended to be randomized and isolated to prevent one site from knowing about the data stored by another. However, researchers discovered that the order in which these database names were returned via the indexedDB.databases() API was not random. Instead, it was based on a global, process-scoped hash table.

This created a deterministic sequence of data. If an attacker controlled two different websites, they could:

• Trigger the creation of multiple IndexedDB databases on Site A.
• Record the specific enumeration order returned by the browser.
• Wait for the user to navigate to Site B.
• Observe the exact same enumeration order on Site B, despite the different origin and different Tor circuit.

This “leaky” enumeration served as a stable, process-lifetime identifier. As long as the browser process remained open, the “order” remained a constant, unique signature of that specific browser instance.

The Failure of the “New Identity” Button

The “New Identity” feature is arguably the most important tool in the Tor Browser toolkit. It is designed to “unlink” your previous browsing activity from your future activity by closing all tabs, clearing all cookies and cache, and resetting the Tor circuits. For over a decade, users have trusted that clicking this button provides a clean slate.

However, CVE-2026-6770 proved that the clean slate was an illusion. Because the IndexedDB UUID mapping was tied to the browser process rather than the session state, clicking “New Identity” did not randomize the identifier. An observer could see a user “disappear” from one identity and “reappear” under a new one, but with the same underlying IndexedDB footprint. For a user in a high-risk environment, this could mean that their activities across different personas were being quietly stitched together by a persistent adversary.

Technical Deep Dive: Cross-Origin Correlation and Fingerprinting

The Tor Browser 15.0.11 update is a direct response to the escalating sophistication of browser fingerprinting. Modern tracking is no longer just about cookies; it is about “entropy.” Every small detail that makes your browser unique—your screen resolution, your installed fonts, your GPU performance, and now, your IndexedDB enumeration order—adds bits of entropy that an attacker can use to identify you.

The vulnerability in CVE-2026-6770 provided an exceptionally high amount of entropy. Unlike probabilistic fingerprinting (which guesses who you are), this was a deterministic identifier. It didn’t matter if you changed your IP address or cleared your history; the internal logic of the browser’s storage engine was shouting your identity to every website you visited.

Rebasing onto Firefox 140.10.1esr

To solve this, the Tor Project has rebased the 15.0.11 release onto Firefox 140.10.1esr. This upstream update from Mozilla includes a fundamental change to how IndexedDB metadata is surfaced to the Web API. The fix introduces per-origin randomization of the enumeration order. Now, even if a website attempts to list the databases, the order it receives will be unique to that specific origin and will not match the order seen by any other website. This effectively breaks the cross-origin correlation chain and restores the “Same-Origin Policy” (SOP) to its intended strength.

NoScript 13.6.18.1984: Hardening the Perimeter

Alongside the browser engine changes, the Tor Browser 15.0.11 update includes a critical update to the NoScript extension (version 13.6.18.1984). NoScript has long been the first line of defense in Tor, preventing malicious scripts from executing and harvesting fingerprinting data.

The new version of NoScript includes specific mitigations designed to detect and block “probing” attacks where a site attempts to rapidly create and delete IndexedDB entries to “brute-force” a unique identifier. By limiting the frequency and visibility of these storage-level operations, NoScript provides a secondary layer of protection against future, yet-to-be-discovered storage side-channels.

Operational Impact: Who is at Risk?

While the Tor Project has categorized the fix as “critical,” the operational risk varies depending on user behavior. The vulnerability is most dangerous for users who:

1. Keep the Tor Browser open for extended periods (days or weeks) without a full restart.
2. Frequently use the “New Identity” button to switch between sensitive accounts or personas.
3. Visit websites that utilize advanced JavaScript-based tracking frameworks (common in ad-tech and state-sponsored surveillance).

It is important to note that this was a passive vulnerability. An attacker did not need to “hack” your computer or deliver a payload. They simply needed to include a few lines of standard JavaScript on their webpage to observe the leaked UUID order. This makes the vulnerability particularly insidious, as there is no way for a user to know they have been tracked until after the data has already been correlated.

How to Apply the Tor Browser 15.0.11 Update Correctly

To ensure you are protected, you must verify that your browser has successfully updated. Due to the nature of this flaw, a simple “New Identity” is insufficient. You must perform a full software update and restart the browser process to clear the vulnerable hash table from memory.

• Automatic Update: Click the “hamburger” menu (three horizontal lines), go to Help, and select About Tor Browser. The browser will automatically check for and download the 15.0.11 update.
• Manual Verification: Ensure that the “About” window confirms you are running version 15.0.11 and that it is based on Firefox 140.10.1esr.
• Clean Start: After the update is applied, it is highly recommended to close the browser entirely and restart it. This ensures that the old, stable process-lifetime identifier is purged from the system’s RAM.

A Note for Android Users

The Android version of the Tor Browser is also affected and must be updated via the Google Play Store or the F-Droid repository. The Android update includes the same rebase to GeckoView 140.10.1esr, ensuring that mobile users are not left vulnerable to the same correlation attacks.

The Future of Unlinkability in a Post-CVE-2026-6770 World

The discovery of CVE-2026-6770 serves as a stark reminder that anonymity is a moving target. As browser APIs become more complex, the “surface area” for potential leaks grows. The Tor Project’s rapid response with the Tor Browser 15.0.11 update demonstrates the strength of the open-source security model, but it also highlights the need for constant vigilance.

The lesson for developers is clear: any API that returns a list or a sequence must be carefully audited to ensure that the order of that list does not reflect internal, global states. For users, the lesson is equally clear: the browser is not a static shield. It is a piece of software that requires active maintenance. In the war for privacy, the “Update” button is your most powerful weapon.

As we move further into 2026, we expect to see more research into “storage-layer fingerprinting.” This is the new frontier of surveillance, and the 15.0.11 update is a vital line in the sand. Do not delay—secure your identity today by ensuring your Tor Browser is fully patched and up to date.