Tor Browser 15.0.5 Patches Sabotaged Translations and 14 CVEs

The Tor Project released Tor Browser 15.0.5 on January 29, 2026, fixing vandalized Vietnamese translations that shipped in version 15.0.4 while backporting critical security patches from Firefox 147. So enjoy that because I know that really bothered you...

A malicious contributor infiltrated the translation pipeline and poisoned Vietnamese text strings in the Android version. The sabotage had zero impact on browser functionality or security properties, but the Tor Project treated it seriously enough to push an unscheduled release. Community member SweetSea spotted the vandalized text and reported it to the #tor-l10n developer channel, earning a public thank-you from the project.

This incident shows us a persistent vulnerability in open-source localization: anyone can volunteer to translate, and verification often happens after the fact. The Tor Project acknowledged they're reviewing their processes for accepting translation updates. Their stated goal involves keeping contributions open while adding safeguards, though they haven't specified what those safeguards will look like. Supply chain attacks on Tor have happened before. In 2022, Kaspersky documented 'OnionPoison', a campaign distributing trojanized Tor Browser installers via YouTube to Chinese users, collecting data that enabled surveillance and potential extortion.

Beyond the translation fix, version 15.0.5 incorporates security patches from Firefox 147, released January 13, 2026. Mozilla addressed 14 vulnerabilities in that update, including seven rated high-severity. Four sandbox escape flaws affect the Graphics and Messaging System components. Researcher Oskar L discovered CVE-2026-0878, CVE-2026-0879, and CVE-2026-0880, all stemming from incorrect boundary conditions and integer overflow bugs in Graphics rendering. Andrew McCreight found CVE-2026-0881, which targets the Messaging System.

The remaining high-severity issues include CVE-2026-0877, a DOM mitigation bypass reported by mingijung, and CVE-2026-0882, a use-after-free vulnerability in Inter-Process Communication discovered by Randell Jesup. Memory safety bugs tracked under CVE-2026-0891 and CVE-2026-0892 showed evidence of memory corruption that could enable arbitrary code execution with sufficient effort. Neither Mozilla nor Google has reported active exploitation of these vulnerabilities in the wild, but browser memory corruption bugs attract serious attention from both state actors and criminal groups.

The update bumps Firefox ESR to version 140.7.0 across all platforms. Android users get GeckoView 140.7.0esr with an updated public suffix list for accurate domain handling. The release also refreshes built-in obfs4 bridges, the pluggable transports that transform Tor traffic into random-looking bytes to evade deep packet inspection. For users in China, Russia, Iran, and other censorship-heavy regions, fresh bridges matter. Governments continuously probe and block known bridge addresses, so regular rotation helps maintain access.

Tor Browser 15.0.5 also fixes a label display issue in the Blocked Objects window and keeps public suffixes current on the Android build. These changes landed through bug fix tor-browser-build#41681, part of ongoing maintenance for the 140esr-based browser series.

The 15.0 series is the last to support legacy platforms. When Tor Browser 16.0 arrives in Q2 2026, it will drop support for 32-bit Linux, 32-bit Android, and Android versions 5.0, 6.0, and 7.0. The Tor Project says these deprecations stem from upstream Mozilla decisions and practical constraints. Google Play's 100MB app size limit makes packaging x86 Android builds increasingly difficult. Supporting legacy architectures also limits development flexibility and complicates security maintenance.

Users on affected platforms should plan their transitions. The 15.0 series will continue receiving security updates until 16.0 goes stable, but the clock is running. Anyone still using 32-bit Linux or Android devices older than Android 8.0 (Oreo) will need to upgrade hardware or find alternative anonymity solutions.

Tor Browser 15.0.5 downloads are available from the official download page and the distribution directory at torproject.org/dist/torbrowser/15.0.5/. The update applies to Windows, macOS, Linux, and Android. Users with automatic updates enabled should receive the new version through their normal update mechanism.

Supply chain attacks extend beyond code. Localization, documentation, and community contributions all represent attack surfaces. The Tor Project's volunteer translator network provides essential accessibility for non-English speakers, but trust verification at scale remains an unsolved problem. The project's response suggests they're taking this seriously while trying to avoid creating barriers that would discourage legitimate contributors.

For OPSEC-conscious users, the security patches alone justify immediate updating. Sandbox escapes and memory corruption vulnerabilities in browser engines are what sophisticated adversaries weaponize. The combination of high-severity CVEs and the translation incident makes 15.0.5 a priority update for anyone relying on Tor Browser for anonymity.