Tor Browser 15.0.11 patches critical Firefox flaw across all platforms

On April 28, the Tor Project pushed Tor Browser 15.0.11 to Windows, macOS, Linux, and Android, and the reason you should care is not complicated: Mozilla released an out-of-cycle Firefox ESR patch that fixed something bad enough to warrant pulling engineers away from the schedule. The Tor Project did not publish the specific CVE details in the release notes — this is standard practice for time-sensitive security drops — but the designation Firefox 140.10.1esr tells you these were important. This was the third emergency Tor Browser patch in April alone: 15.0.9, 15.0.10, and now 15.0.11 shipped in rapid succession, each one carrying Firefox upstream fixes. For the millions of people relying on Tor for actual censorship resistance, not hypothetical privacy, this matters because the gap between vulnerability discovery and patch deployment directly affects your exposure window.

The context here is that Tor Browser 15.0 marked the completion of Tor's annual ESR migration cycle — the project rebased its entire browser onto Firefox ESR 140 after reviewing roughly 200 Bugzilla issues to identify changes that could break privacy or security. That work finished in March. What nobody predicted was that April would bring this sustained vulnerability pressure on the underlying Firefox engine itself. The Tor Browser codebase is not large; it is a wrapper around Mozilla's browser that disables fingerprinting vectors, enforces bridge mode, and locks down network behavior. When Firefox burns, Tor burns. The patch cycle tells you that whoever discovered these issues found something that could not wait until the next scheduled release.

On the same trajectory, the Tor Project published results from a June 2025 Cure53 security audit of TorVPN for Android on April 15. This was not a casual code review. Cure53 is a German penetration testing and source code audit firm; they conducted a full assessment of both the TorVPN Android application and the underlying Onionmasq networking layer that handles DNS resolution and traffic tunneling. The finding: Tor's core integration is robust. No fundamental issues in tunnel establishment or routing. The audit report flagged what Tor called 'incomplete input validation and weaknesses in DNS handling that could enable denial-of-service conditions in rare cases.' Translation: edge cases that an attacker would need to trigger deliberately, not vulnerabilities that would leak traffic or compromise the anonymity guarantees. The Tor Project stated all issues are being tracked and addressed as part of ongoing development. That means the technical architecture is sound. The remaining work is hardening, not redesign.

Why now? Because Tor Mobile has been in development hell for years. The Tor Browser on Android existed but was clunky; routing all traffic through Tor on a mobile device without a dedicated app meant running multiple applications in parallel and praying nothing leaked. TorVPN for Android is Tor's answer: a single application that tunnels the entire device through the Tor network, with all the routing and DNS handling baked in. The Cure53 audit was always going to be the gating item for public rollout — you cannot launch a privacy product that a major security firm has not blessed. Once that box is checked, rollout becomes a release engineering problem, not a technical architecture problem. And right now, at block height 947,414 with Bitcoin network fees sitting at 5 sat/vB, the fee environment is also favorable for users who want to broadcast transactions on-chain while routing through Tor: anonymity without fee pressure adding operational risk.

Who wins here? Users in regions with active censorship: Iran, China, Russia, Belarus, anywhere an ISP or state actor wants to log who you talk to. TorVPN for Android is a one-tap isolation layer that prevents that surveillance at the network level. The audit confirms the technical foundation is not going to embarrass the project in three months. Tor developers win because they can move from defensive architecture-review mode into feature parity and hardening. Who does not win? People on older Android devices. The Tor Project has already signaled that Tor Browser 16.0 stable, due mid-Q3 2026, will drop support for x86 Android and Android 5.0/6.0/7.0. That is a real narrowing of the install base in the Global South, where used Android devices are the primary connectivity path. Older hardware will be locked out of the latest privacy tools.

Here is what is actually happening: Tor's desktop browser is now in a perpetual patch cycle because Firefox ESR is carrying vulnerabilities that matter. The project is not going to solve this by forking Firefox or trying to maintain a custom engine. Instead, they are doing something harder and more sustainable: they are building a mobile abstraction layer through TorVPN that insulates the app from browser-level vulnerabilities by making the network tunnel the security boundary instead of the renderer. The Cure53 audit proves that bet is correct. The dense April patch cycle proves that Firefox is where the risk is now. The strategy is sound, but it depends on the Tor Project's ability to stay synchronized with Mozilla's release train. If Firefox begins shipping vulnerabilities faster than Tor can backport and test, you will see adoption lag. Right now, the project is keeping pace.

Watch three things. First: when does TorVPN for Android hit public beta? Cure53 flagged input validation and DNS handling issues that the project says are being addressed. A clean patch cycle that fixes those issues without introducing new ones would unlock the milestone. Second: Tor Browser 16.0 stable, expected mid-Q3 2026, will also be the version that drops support for older Android and x86 Linux. That is a platform cliff. If adoption numbers stay flat after that drop, it signals the project prioritized correctness over backward compatibility and won and lost something simultaneously. Third: watch RightsCon fallout. The Tor Project published a solidarity statement in late April after RightsCon was cancelled in Zambia due to political pressure on civil society. The project may announce new circumvention or censorship-resistance work tied to that region. If it does, that is Tor translating principle into code in response to actual state repression.