Tails 7.5 Ships New Tor Circuit Encryption

Tails 7.5 dropped today with a completely new Tor circuit encryption protocol, over 30 patched browser vulnerabilities, and a fix for a Thunderbird security gap that has been leaving email users exposed after every single Tails release.

The headline upgrade is Tor 0.4.9.5, the first stable release in the 0.4.9 series, and it brings a fundamental change to how your traffic gets encrypted as it moves through Tor circuits. The new protocol is called Counter Galois Onion (CGO), designed by Jean Paul Degabriele, Alessandro Melloni, Jean-Pierre Münch, and Martijn Stam, and it replaces the aging relay cryptography that Tor has been using for years. CGO uses authenticated encryption with associated data (AEAD), which means every relay in your circuit can now detect tampering in real-time rather than relying on end-to-end integrity checks alone. If you use Tails for anything sensitive, and you should be, your traffic between hops is better protected than it has ever been on the Tor network.

But Tor 0.4.9.5 went further than new encryption. The development team stripped out a pile of legacy protocols that have been dead weight for years. Relays no longer support the obsolete TAP circuit extension protocol, the ancient v1 and v2 link handshakes are gone, and the dangerously short RSA key authentication method ("RSA-SHA256-TLSSecret") has been removed in favor of the Ed25519-based method that has been available since Tor 0.3.0.1-alpha. Directory authorities dropped support for consensus methods before method 32 and removed the unused "package" lines feature from consensus documents. On the defensive side, exit relays now clip every returned DNS TTL to 60 seconds to mitigate a DNS cache oracle attack that has existed since 0.3.5.1-alpha. New relay metrics track drop cells, destroy cells, and circuit protocol violations so operators can actually monitor for abuse patterns.

On the browser side, Tails 7.5 ships Tor Browser 15.0.7, which is built on Firefox ESR 140.8.0 and backports security fixes from Firefox 148. Mozilla's security advisory (MFSA 2026-15) lists 21 high-severity CVEs including multiple sandbox escapes (CVE-2026-2760, CVE-2026-2761, CVE-2026-2768, CVE-2026-2776, CVE-2026-2778), a WebRTC boundary condition flaw (CVE-2026-2757), seven use-after-free vulnerabilities across the JavaScript engine, WebAssembly, IndexedDB, DOM bindings, and media playback, plus memory safety bugs that Mozilla explicitly says showed "evidence of memory corruption" and could plausibly be exploited for arbitrary code execution. On top of the 21 high-severity issues, there are another 11 moderate and 2 low-severity fixes. Running an older Tor Browser version against this list of patched vulnerabilities is a real risk, because now that the CVE details are public, exploitation becomes substantially easier for anyone reading the advisories.

The third major change in Tails 7.5 addresses something that has been undermining Thunderbird security for years. Until this release, the Tails team would ship a version of Thunderbird with each update, and Mozilla would almost always release a new Thunderbird version within days of a Tails release that patched additional security vulnerabilities. The result was that Tails users running Thunderbird were almost permanently exposed to known, patched vulnerabilities because the bundled version lagged behind the Mozilla release cycle. Tails 7.5 fixes this by making Thunderbird installable as Additional Software through the Persistent Storage, which means the latest version from Debian gets pulled automatically every time you boot Tails. If you use Thunderbird on Tails for anything, enable this immediately.

Tails 7.5 also now includes a Mexican Spanish language pack for Thunderbird alongside the existing Spain Spanish package, which matters for the large population of Spanish-speaking privacy users in Latin America who have been stuck with Castilian Spanish localization.

Upgrading is straightforward if you are already on Tails 7.0 or later. The automatic upgrade mechanism handles it. If the automatic upgrade fails or you run into boot problems after upgrading, the manual upgrade instructions are available. Fresh installations using USB or ISO images can be downloaded from the Tails installation pages for Windows, macOS, Linux, or the command line. Keep in mind that installing fresh instead of upgrading wipes your Persistent Storage, so upgrade if you have anything stored.

CGO circuit encryption, 30+ patched browser CVEs, and the Thunderbird auto-update fix together mean the security gap between Tails 7.4.x and 7.5 is wide enough that staying on the old version is a liability. Upgrade, verify the signature, and move on.