This is a TOCTOU NULL write after free when sending a `SWITCH` cell which fails (rare but possible). In `conflux_send_switch_command()`: ```c if (CIRCUIT_IS_ORIGIN(send_circ)) { relay_send_command_from_edge(0, send_circ, RELAY_COMMAND_CONFLUX_SWITCH, ...); } else { relay_send_command_from_edge(0, send_circ, ...); } ``` You can see the returned value are ignored and so even if the send failed, the function returns true as in "yes, the cell was sent properly". That is the problem because on failure, `circuit_mark_for_close()` is called which ultimately ends up doing a `cfx_del_leg()`. And here is when we send the SWITCH in `conflux_decide_circ_for_send()`: ```c if (!conflux_send_switch_command(cfx->curr_leg->circ, relative_seq)) { conflux_mark_all_for_close(...); return NULL; } cfx->curr_leg->last_seq_sent = cfx->prev_leg->last_seq_sent; ``` The `cfx->curr_leg` is accessed and and thus NULL write leading to a sigsev. Note here that we have faced this issue before where an error path would close the leg and then we would attempt access it after. The close circuit being separated from the free circuit pattern has made this conflux path convoluted and created exponential dangerous path through the maze. This is now TROVE-2026-017. /cc @mikeperry