From the same security report #41231 , they also found this: > While analyzing this bug, we discovered a less severe one but will still cause the node to crash through abort(). It is in https://gitlab.torproject.org/tpo/core/tor/-/blob/main/src/core/or/conflux_pool.c#L1964 where `sizeof(*link->nonce)` should be a `sizeof(link->nonce)`. Please credit it as: Anas Cherni of Calif.io. I can confirm, the sizeof(*) is wrong, the nonce is: > uint8_t nonce[DIGEST256_LEN]; /cc @nickm, @mikeperry