CVE-2026-44726 | Deno is a JavaScript, TypeScript, and WebAssembly runtime. F… | CVSS 7.4 HIGH

Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. From 2.0.0 until 2.7.8, a flaw in Deno's Node.js tls compatibility layer could cause a TLS client to transmit application data in plaintext after a connection retry. When `autoSelectFamily was enabled and the first address-family attempt failed, the socket reinitialization path reused a stale TLS upgrade hook that was bound to the original, failed handle. As a result, the replacement TCP connection was never upgraded to TLS, and any data the application wrote before the secureConnect event travelled over the network unencrypted. A network attacker positioned to cause the initial connection attempt to fail (for example, by dropping IPv6 traffic on a dual-stack host) could deterministically trigger the fallback path and observe or tamper with traffic that the application believed was TLS-protected. This vulnerability is fixed in 2.7.8.

Metadata

CVE ID: CVE-2026-44726
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-07 18:04 UTC
Published: 2026-06-23 17:24 UTC
Last updated: 2026-06-23 17:24 UTC
Primary CWE: CWE-319
CWE-319: Cleartext Transmission of Sensitive Information
Vendor / Product: denoland / deno
Sources: cve.org · NVD

Severity & Metrics

7.4 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
denoland	deno	—	>= 2.0.0, < 2.7.8

Weakness (CWE)

CWE	Source	Description
CWE-319	cna	CWE-319: Cleartext Transmission of Sensitive Information

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.4	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References (1)

https://github.com/denoland/deno/security/advisories/GHSA-chqv-56wv-7564 https://github.com/denoland/deno/security/advisories/GHSA-chqv-56wv-7564