What is the CVSS score of CVE-2026-49440?

CVE-2026-49440 has a CVSS 3.1 base score of 7.4 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N.

Which versions of Deno are affected by CVE-2026-49440?

Deno's Node.js compatibility layer through version 2.8.0 contains a cryptographic validation bypass allowing composite numbers to be misidentified as prime when crypto.checkPrime or checkPrimeSync…. A patch is available.

How to fix or mitigate CVE-2026-49440?

Within 24 hours: identify all Deno deployments and catalog applications using crypto.checkPrime or checkPrimeSync. Within 7 days: upgrade all Deno instances to versions beyond 2.8.0 per vendor advisory. Within 30 days: audit any cryptographic keys or prime-dependent security parameters generated during the exposure window.

Deno CVE-2026-49440

HIGH

Missing Cryptographic Step (CWE-325)

2026-06-16 https://github.com/denoland/deno

GHSA-9xg4-qhm4-g43w

Information Disclosure Microsoft OpenSSL Node.js

7.4

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.4 HIGH

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

vuln.today AI

7.4 HIGH

Network-reachable bignum input, no auth or UI, but AC:H because the victim app must both call checkPrime with default options and act on the result; cryptographic guarantees collapse so C:H/I:H, no availability impact.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

Jun 16, 2026 - 19:53 vuln.today

Analysis Generated

Jun 16, 2026 - 19:53 vuln.today

CVE Published

Jun 16, 2026 - 19:08 github-advisory

HIGH 7.4

DescriptionGitHub Advisory

Summary

node:crypto.checkPrime(candidate[, options][, callback]) and crypto.checkPrimeSync(candidate[, options]) ran no Miller-Rabin rounds at all when the caller left options.checks at its default of 0. In that mode, the only test applied to the candidate was trial division by the primes up to 17,863. Any composite whose smallest prime factor exceeds that bound - for example the product of two primes just above it, such as 17,881 × 17,891 - was reported as true ("probably prime").

The same divergence affected the lower-level op_node_check_prime / op_node_check_prime_bytes paths that the polyfill calls into.

Node.js itself does not have this problem: it forwards checks = 0 to OpenSSL's BN_check_prime, which substitutes a sensible default number of rounds based on the candidate's bit length (per FIPS 186-4 Appendix C.3 Table C.1). Deno's Rust implementation had no equivalent fallback, so count = 0 meant "skip the loop entirely."

Affected APIs

crypto.checkPrime(candidate) (callback form, default options)
crypto.checkPrime(candidate, { checks: 0 }, callback)
crypto.checkPrimeSync(candidate) (default options)
crypto.checkPrimeSync(candidate, { checks: 0 })

Callers who explicitly passed checks >= 1 were less affected, the loop ran the number of rounds they asked for, but were still receiving fewer rounds than Node would have applied for the same bit length. With the patched version they get at least the FIPS minimum.

Not affected

Deno's prime *generation* (crypto.generatePrime, crypto.generatePrimeSync, and the DH parameter generation path). Those routes go through Prime::generate_with_options in ext/node_crypto/primes.rs, which hardcodes 20 Miller-Rabin rounds and never reads a user-controlled checks value, so the bug never reached them.
Any other Deno-internal use of primality testing - is_probably_prime is not called from elsewhere in the runtime with count = 0.
Web Crypto (crypto.subtle.*), which uses entirely separate code paths and does not expose a primality test.

Impact

The realistic exposure is application-level: a Deno program that calls crypto.checkPrime (or its sync variant) with default options to validate an externally-supplied bignum, for example checking a peer-provided Diffie-Hellman prime, validating a prime read from configuration, or sanity-checking an RSA factor, will accept crafted composites as prime. The composite is trivial to construct: any product of two primes greater than 17,863 works.

Downstream consequences depend on what the program does with the "verified" prime. If the prime is fed into a key exchange, signature verification, or factorization-style check, the security guarantees of that protocol collapse to whatever the attacker engineered into the composite.

The CVSS impact is bounded by the requirement that the victim application both (a) calls checkPrime with default options and (b) acts on the result for security-relevant input it does not control.

Reproduction

import { checkPrimeSync } from "node:crypto";

// 17881 and 17891 are both prime and both above the trial-division
// ceiling used by Deno's implementation.
const composite = 17881n * 17891n;

// Affected versions print `true`; the patched version prints `false`.
console.log(checkPrimeSync(composite));

The same result is reproducible from Rust against the internal helper:

rust

use num_bigint::BigInt;
let composite = BigInt::from(17881u32) * BigInt::from(17891u32);
assert!(!is_probably_prime(&composite, 0)); // fails on affected versions

Fix

PR #34391 introduces a helper min_miller_rabin_rounds_for_bits(bits) that returns the FIPS 186-4 Appendix C.3 round counts, matching the defaults OpenSSL uses inside BN_check_prime. is_probably_prime then clamps the loop bound to count.max(min_miller_rabin_rounds_for_bits(n.bits())). The probabilistic loop now always executes, regardless of what checks value the caller supplied, with a round count strong enough to keep the false-positive probability below 2^-80. Callers that pass a larger explicit checks still get exactly that many rounds.

Unit tests under ext/node_crypto/primes.rs cover the 17,881 × 17,891 case, a larger 64-bit composite, and the FIPS lookup table itself.

Workarounds

If you cannot upgrade immediately:

Pass an explicit checks value when calling crypto.checkPrime or crypto.checkPrimeSync. A value of 64 is conservative for any reasonable bit length and keeps the loop running.
Do not rely on crypto.checkPrime to validate attacker-influenced bignums in security-critical paths until you are on the patched release.

Articles & Coverage 2

News 3 New OpenSSL Vulnerabilities - 3 High Severity Jun 17, 2026 News 3 New Node.js Vulnerabilities - 3 High Severity, No Public POC Jun 17, 2026

AnalysisAI

Cryptographic primality validation in Deno's Node.js compatibility layer (versions <= 2.8.0) silently skips Miller-Rabin testing when crypto.checkPrime/checkPrimeSync is called with default options, causing crafted composites whose smallest prime factor exceeds 17,863 (e.g. 17,881 × 17,891) to be reported as prime. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify Deno service calling checkPrime

Delivery

Craft composite from two primes above 17,863

Exploit

Submit composite as DH prime or RSA factor

Install

Trigger checkPrime default path skipping Miller-Rabin

Composite accepted as prime

Execute

Downstream key exchange uses attacker-chosen modulus

Impact

Recover session keys or forge cryptographic material

Recon

Identify Deno service calling checkPrime

Delivery

Craft composite from two primes above 17,863

Exploit

Submit composite as DH prime or RSA factor

Install

Trigger checkPrime default path skipping Miller-Rabin

Composite accepted as prime

Execute

Downstream key exchange uses attacker-chosen modulus

Impact

Recover session keys or forge cryptographic material

Vulnerability AssessmentAI

Exploitation	The victim Deno application (version <= 2.8.0) must call `crypto.checkPrime` or `crypto.checkPrimeSync` either with no `options` argument or with `options.checks` set to 0 (the documented default), and must then make a security-relevant decision based on the boolean result for a bignum that the attacker can influence - typical examples per the advisory are validating a peer-supplied Diffie-Hellman prime, a prime read from attacker-reachable configuration, or an RSA factor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The provided CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (7.4 High) reflects a network-reachable but non-trivial flaw: the attacker does not need credentials, but the victim application must (a) call `crypto.checkPrime` with default options and (b) act on the result for security-critical input it does not control - hence AC:H. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A Deno service performs a Diffie-Hellman handshake and uses `crypto.checkPrimeSync(peerPrime)` with default options to sanity-check the peer-supplied modulus before key agreement. An attacker submits the composite 17,881 × 17,891 (or any product of two primes above 17,863); `checkPrimeSync` returns `true`, the handshake proceeds against a non-prime modulus whose factorization the attacker chose, and the resulting shared secret offers no real secrecy - letting the attacker recover session keys or forge messages. …
Remediation	Vendor-released patch: Deno 2.8.1, which lands PR https://github.com/denoland/deno/pull/34391 introducing `min_miller_rabin_rounds_for_bits` and clamping the Miller-Rabin loop bound to at least the FIPS 186-4 Appendix C.3 minimum regardless of the caller-supplied `checks` value. … Detailed patch versions, workarounds, and compensating controls in full report.