CVE-2026-44726 affects Deno, a JavaScript, TypeScript, and WebAssembly runtime, in versions >=2.0.0 and <2.7.8. The vulnerability involves the Node.js TLS compatibility layer where, under certain conditions (autoSelectFamily enabled and first address-family attempt failure), the TLS client may transmit data in cleartext after retrying a connection. This happens because the socket reinitialization path reuses a stale TLS upgrade hook bound to the original failed handle, preventing the new TCP connection from upgrading to TLS. An attacker able to cause the initial connection attempt to fail (e.g., by dropping IPv6 traffic on a dual-stack host) can trigger this fallback path and intercept or modify data believed to be TLS-protected. The issue is resolved in Deno version 2.7.8.

An attacker positioned on the network can cause the initial TLS connection attempt to fail and force the client to retry the connection without properly upgrading to TLS. This leads to application data being transmitted in plaintext, exposing sensitive information to interception or tampering. The vulnerability compromises confidentiality and integrity of the data transmitted before the secureConnect event. There is no indication of impact on availability. The CVSS v3.1 base score is 7.4 (High), reflecting network attack vector, high complexity, no privileges required, no user interaction, and high confidentiality and integrity impact.

A fix is available in Deno version 2.7.8. Users should upgrade to version 2.7.8 or later to remediate this vulnerability. No other mitigations or workarounds are specified. Since this is not a cloud service, remediation depends on user action to update the software.