CVE-2026-44726 Overview
CVE-2026-44726 is a high-severity flaw in Deno's Node.js tls compatibility layer that causes TLS clients to transmit application data in plaintext after a connection retry. The issue affects Deno versions 2.0.0 through 2.7.7 when autoSelectFamily is enabled. When the first address-family attempt fails, the socket reinitialization path reuses a stale TLS upgrade hook bound to the failed handle, leaving the replacement TCP connection unencrypted. The flaw is tracked under CWE-319: Cleartext Transmission of Sensitive Information and is fixed in Deno 2.7.8.
Critical Impact
A network attacker who can disrupt the initial connection attempt — for example, by dropping IPv6 traffic on a dual-stack host — can deterministically force Deno applications to send TLS-intended data in plaintext.
Affected Products
- Deno runtime versions 2.0.0 through 2.7.7
- Node.js tls compatibility layer in Deno
- Applications using autoSelectFamily with TLS sockets on dual-stack hosts
Discovery Timeline
- 2026-06-23 - CVE-2026-44726 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-44726
Vulnerability Analysis
Deno provides a Node.js tls compatibility layer that wraps TCP sockets and upgrades them to TLS. When autoSelectFamily is enabled, the runtime attempts to connect to both IPv6 and IPv4 addresses, falling back when one family fails. The vulnerability stems from how the fallback path reinitializes the underlying socket. The replacement TCP connection inherits a stale TLS upgrade hook tied to the original, failed handle. The new socket is therefore never upgraded to TLS. Application code that writes data before the secureConnect event fires transmits that data in cleartext.
Root Cause
The defect resides in the socket reinitialization logic of Deno's Node.js tls shim. The TLS upgrade callback is registered against the initial socket handle rather than rebound to the replacement handle after fallback. When autoSelectFamily selects an alternate address family, the new TCP socket bypasses the upgrade routine entirely. The socket appears valid to the calling application, but no TLS handshake occurs on it.
Attack Vector
An attacker positioned on the network path can deterministically trigger the fallback by dropping or blackholing traffic to the preferred address family. On a dual-stack host that prefers IPv6, dropping IPv6 SYN packets forces the client to retry over IPv4. The retried connection carries application data without encryption. The attacker can then passively observe credentials, session tokens, or API payloads, or actively tamper with the cleartext stream. Exploitation requires the application to use autoSelectFamily and to write data before confirming the secureConnect event. See the Deno GitHub Security Advisory for the maintainer's technical write-up.
Detection Methods for CVE-2026-44726
Indicators of Compromise
- Outbound TCP connections from Deno processes to ports typically used for TLS (443, 8443, 5432, 6379) that lack a ClientHello in the first packets.
- Repeated failed IPv6 connection attempts followed by IPv4 retries originating from Deno workloads.
- Application protocol data such as HTTP requests or database queries observed in plaintext on ports configured for TLS.
Detection Strategies
- Inspect network flow telemetry for Deno hosts and flag sessions on TLS-designated ports that do not begin with a valid TLS record header (0x16 0x03).
- Audit deployed code for use of net.connect, tls.connect, or https calls that set autoSelectFamily: true against Deno runtimes earlier than 2.7.8.
- Correlate connection-reset events on the preferred address family with subsequent unencrypted egress on the fallback family.
Monitoring Recommendations
- Forward Deno runtime version inventory and process telemetry into a centralized analytics platform to identify hosts running vulnerable releases.
- Alert on TLS-port traffic that fails protocol validation at network sensors, IDS, or service mesh sidecars.
- Track changes in dual-stack reachability that coincide with sudden plaintext traffic from application workloads.
How to Mitigate CVE-2026-44726
Immediate Actions Required
- Upgrade all Deno installations to version 2.7.8 or later, which contains the corrected socket reinitialization logic.
- Audit application code for autoSelectFamily: true and disable it temporarily until the runtime is patched.
- Rotate credentials, API keys, and session tokens that may have transited through affected Deno clients on untrusted network paths.
Patch Information
The vulnerability is fixed in Deno 2.7.8. The patch rebinds the TLS upgrade hook to the replacement socket handle during the autoSelectFamily fallback, ensuring the new TCP connection completes the TLS handshake before any application data is written. Patch details are published in the Deno GitHub Security Advisory GHSA-chqv-56wv-7564.
Workarounds
- Set autoSelectFamily: false on all tls.connect, net.connect, and https.request calls until upgrading to Deno 2.7.8.
- Force a single address family at the network level by disabling IPv6 on hosts that do not require dual-stack connectivity.
- Gate all socket writes behind the secureConnect event so cleartext data cannot be emitted on a non-upgraded handle.
# Upgrade Deno to the patched release
deno upgrade --version 2.7.8
# Verify the installed version
deno --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

