Tor Browser 16.0a2 Drops the ESR Safety Net

Tor Browser 16.0a2 dropped on February 4, 2026, confirming the Tor Project's commitment to abandoning Firefox ESR for alpha releases. The new build runs on Firefox 147, includes critical OpenSSL security patches, and fixes a bug where websites would randomly fail to load after bootstrapping.

The shift from Firefox Extended Support Release to Firefox Rapid Release changes how the Tor Project develops their browser. The December 2025 announcement explained the reasoning: rebasing after 4 weeks of upstream Firefox changes is significantly easier than rebasing after 52 weeks, which had been creating developer burnout and concentrating all the hard work into intense 16-week windows. That pain now gets spread throughout the year, and alpha testers get new upstream features shortly after Mozilla ships them instead of waiting for the annual ESR bump.

The tradeoff: alpha releases may be less secure and private because upstream Firefox bugs arrive alongside the features. If Mozilla introduces a vulnerability, Tor Browser Alpha users eat it immediately instead of benefiting from the ESR delay. The team explicitly states they might delay security updates if upstream changes create compatibility problems with their privacy patches.

Component updates include Tor 0.4.9.4-rc, NoScript 13.5.11.90301984, OpenSSL 3.5.5, and Firefox/GeckoView 147.0a1.

The OpenSSL 3.5.5 update addresses 13 security vulnerabilities, with one rated High severity. The worst is CVE-2025-15467, a stack buffer overflow in CMS AuthEnvelopedData parsing that triggers before any cryptographic verification, meaning attackers can exploit it without valid credentials. Additional patches cover improper PBMAC1 parameter validation (CVE-2025-11187), a NULL dereference in SSL_CIPHER_find() (CVE-2025-15468), input truncation issues with files over 16 MB (CVE-2025-15469), excessive memory allocation in TLS 1.3 CompressedCertificate handling (CVE-2025-66199), heap out-of-bounds writes in BIO_f_linebuffer (CVE-2025-68160), and several others affecting PKCS12 and timestamp response verification.

Two bug fixes stand out. The Android APK had been exceeding Google Play Store's 100 MB limit, which the team fixed by backporting Mozilla's terser JavaScript minifier and conditionally compiling platform-specific preferences. The other fix addresses an intermittent issue where websites would fail to load after bootstrapping, caused by the NoScript extension behaving badly in permanent private-browsing mode, which is how Tor Browser operates by default.

Platform-specific changes span all targets. Linux users get system font size implementation. Android users receive branding corrections and WebExtensions initialization fixes. Desktop platforms see adjustments to settings visibility and letterboxing updates, though these are primarily maintenance items.

The Tor Project now expects to ship only one major feature release per year, replacing the previous pattern of two releases in Q2 and Q3/Q4. Tor Browser 15.0 shipped without a 15.5 follow-up. Tor Browser Stable 16.0 lands around mid-Q3 2026, giving alpha testers several more months of rapid-release builds before the stable branch catches up.

The switch to rapid release also means faster platform deprecation. 32-bit x86 builds for Linux and Android are gone. Android versions below 8.0 are no longer supported.

The official download page has the release, and mirrors exist in the distribution directory. The Tor Project explicitly states this alpha is for testing only and warns against using it for anything where security matters.

Whether this approach produces better software is the open question. The ESR model gave the Tor Project breathing room to thoroughly test privacy patches against a stable Firefox base, but it also meant users sat on year-old browser code while Mozilla shipped security fixes to everyone else. Rapid release inverts that equation: alpha users get fixes faster but accept the risk of upstream regressions. The stable channel remains on ESR, so production users keep the conservative approach while testers work through the rough edges.

The NoScript fix makes this release worth the update for anyone who hit that bootstrapping bug, and the OpenSSL patches address vulnerabilities that real-world adversaries could exploit against the cryptographic layer. The Tor Project is betting that spreading the rebasing work across the year beats the brutal crunch of annual ESR transitions.