CVE-2026-22863

HighPublic PoC

Published: 15 January 2026

Published

15 January 2026

Modified

21 January 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0001 0.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22863 is a high-severity Missing Cryptographic Step (CWE-325) vulnerability in Deno Deno. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

Why these techniques?

Remote unauthenticated exploitation of crypto flaw in public-facing Deno runtime enables T1190; explicit support for brute-force and stream analysis attacks maps to T1110.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.6.0, node:crypto doesn't finalize cipher. The vulnerability allows an attacker to have infinite encryptions. This can lead to naive attempts at brute forcing, as well as more refined attacks with the…

goal to learn the server secrets. This vulnerability is fixed in 2.6.0.

Deeper analysisAI

CVE-2026-22863 affects Deno, a runtime for JavaScript, TypeScript, and WebAssembly, specifically versions prior to 2.6.0. The vulnerability resides in the node:crypto module, which fails to properly finalize ciphers. This flaw, classified under CWE-325 (Missing Required Cryptographic Step), enables infinite encryptions without proper termination, as scored at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from network-based exploitation with low complexity and no privileges required.

Remote attackers without authentication can exploit this vulnerability by repeatedly invoking encryption operations that do not finalize. This allows naive brute-force attempts or more sophisticated attacks aimed at disclosing server secrets through analysis of the unending encryption streams.

Deno addressed the issue in version 2.6.0, as detailed in the release notes and security advisory GHSA-5379-f5hf-w38v. Security practitioners should upgrade to 2.6.0 or later to mitigate the risk, ensuring proper cipher finalization in node:crypto usage.

Details

CWE(s): CWE-325

Affected Products

deno

≤ 2.6.0

CVEs Like This One

CVE-2026-27190Same product: Deno Deno

CVE-2026-32260Same product: Deno Deno

CVE-2026-22864Same product: Deno Deno

CVE-2025-61787Same product: Deno Deno

CVE-2026-41395Shared CWE-325

CVE-2026-4601Shared CWE-325

CVE-2025-47383Shared CWE-325

CVE-2026-4258Shared CWE-325

References

https://github.com/denoland/deno/releases/tag/v2.6.0
Release Notes · security-advisories@github.com
https://github.com/denoland/deno/security/advisories/GHSA-5379-f5hf-w38v
Exploit, Vendor Advisory · security-advisories@github.com