EXECUTIVE SUMMARY:
CVE-2026-44726 with a CVSS score of 7.4 is a vulnerability in Deno's Node.js tls compatibility layer, specifically affecting versions 2.0.0 to 2.7.8 of the deno package, where a flaw in the TLS retry mechanism can cause a TLS client to transmit application data in plaintext after a connection retry. This occurs when the `autoSelectFamily` option is enabled and the first address-family attempt fails, resulting in the reuse of a stale TLS upgrade hook, which is bound to the original, failed handle, and consequently, the replacement TCP connection is never upgraded to TLS. An attacker positioned to cause the initial connection attempt to fail, for example by dropping IPv6 traffic on a dual-stack host, can exploit this vulnerability by triggering the fallback path, allowing them to observe or tamper with traffic that the application believed was TLS-protected, gaining the capability to intercept sensitive data, such as authentication tokens or credit card numbers. The business impact of this vulnerability is significant, as it can lead to unauthorized access to sensitive information, compromising the confidentiality and integrity of the data. The exploitation of this vulnerability requires the attacker to be positioned on the network path and to have the ability to cause the initial connection attempt to fail, and it is most relevant to applications using Deno's `node:tls` or `node:https` surface with `autoSelectFamily` enabled, which is the default configuration.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-44726 with a CVSS score of 7.4 is a vulnerability in Deno's Node.js tls compatibility layer, specifically affecting versions 2.0.0 to 2.7.8 of the deno package, where a flaw in the TLS retry mechanism can cause a TLS client to transmit application data in plaintext after a connection retry. This occurs when the `autoSelectFamily` option is enabled and the first address-family attempt fails, resulting in the reuse of a stale TLS upgrade hook, which is bound to the original, failed handle, and consequently, the replacement TCP connection is never upgraded to TLS. An attacker positioned to cause the initial connection attempt to fail, for example by dropping IPv6 traffic on a dual-stack host, can exploit this vulnerability by triggering the fallback path, allowing them to observe or tamper with traffic that the application believed was TLS-protected, gaining the capability to intercept sensitive data, such as authentication tokens or credit card numbers. The business impact of this vulnerability is significant, as it can lead to unauthorized access to sensitive information, compromising the confidentiality and integrity of the data. The exploitation of this vulnerability requires the attacker to be positioned on the network path and to have the ability to cause the initial connection attempt to fail, and it is most relevant to applications using Deno's `node:tls` or `node:https` surface with `autoSelectFamily` enabled, which is the default configuration.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Deno to version 2.7.8.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-chqv-56wv-7564