Summary
node:crypto.checkPrime(candidate[, options][, callback]) and crypto.checkPrimeSync(candidate[, options]) ran no Miller-Rabin rounds at all when the caller left options.checks at its default of 0. In that mode, the only test applied to the candidate was trial division by the primes up to 17,863. Any composite whose smallest prime factor exceeds that bound, for example the product of two primes just above it, such as 17,881 × 17,891, was reported as true ("probably prime").
The same divergence affected the lower-level op_node_check_prime / op_node_check_prime_bytes paths that the polyfill calls into.
Node.js itself does not have this problem: it forwards checks = 0 to OpenSSL's BN_check_prime, which substitutes a sensible default number of rounds based on the candidate's bit length (per FIPS 186-4 Appendix C.3 Table C.1). Deno's Rust implementation had no equivalent fallback, so count = 0 meant "skip the loop entirely."
Affected APIs
crypto.checkPrime(candidate)(callback form, default options)crypto.checkPrime(candidate, { checks: 0 }, callback)crypto.checkPrimeSync(candidate)(default options)crypto.checkPrimeSync(candidate, { checks: 0 })
Callers who explicitly passed checks >= 1 were less affected, the loop ran the number of rounds they asked for, but were still receiving fewer rounds than Node would have applied for the same bit length. With the patched version they get at least the FIPS minimum.
Not affected
- Deno's prime generation (
crypto.generatePrime,crypto.generatePrimeSync, and the DH parameter generation path). Those routes go throughPrime::generate_with_optionsinext/node_crypto/primes.rs, which hardcodes20Miller-Rabin rounds and never reads a user-controlledchecksvalue, so the bug never reached them. - Any other Deno-internal use of primality testing,
is_probably_primeis not called from elsewhere in the runtime withcount = 0. - Web Crypto (
crypto.subtle.*), which uses entirely separate code paths and does not expose a primality test.
Reproduction
import { checkPrimeSync } from "node:crypto";
// 17881 and 17891 are both prime and both above the trial-division
// ceiling used by Deno's implementation.
const composite = 17881n * 17891n;
// Affected versions print `true`; the patched version prints `false`.
console.log(checkPrimeSync(composite));
The same result is reproducible from Rust against the internal helper:
use num_bigint::BigInt;
let composite = BigInt::from(17881u32) * BigInt::from(17891u32);
assert!(!is_probably_prime(&composite, 0)); // fails on affected versions
Workarounds
If you cannot upgrade immediately:
- Pass an explicit
checksvalue when callingcrypto.checkPrimeorcrypto.checkPrimeSync. A value of64is conservative for any reasonable bit length and keeps the loop running. - Do not rely on
crypto.checkPrimeto validate attacker-influenced bignums in security-critical paths until you are on the patched release.
Impact
The realistic exposure is application-level: a Deno program that calls crypto.checkPrime (or its sync variant) with default options to validate an externally-supplied bignum, for example checking a peer-provided Diffie-Hellman prime, validating a prime read from configuration, or sanity-checking an RSA factor, will accept crafted composites as prime. The composite is trivial to construct: any product of two primes greater than 17,863 works.
Downstream consequences depend on what the program does with the "verified" prime. If the prime is fed into a key exchange, signature verification, or factorization-style check, the security guarantees of that protocol collapse to whatever the attacker engineered into the composite.
The CVSS impact is bounded by the requirement that the victim application both (a) calls checkPrime with default options and (b) acts on the result for security-relevant input it does not control.
CVE-2026-49440 has a CVSS score of 7.4 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.8.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
PR #34391 introduces a
helper min_miller_rabin_rounds_for_bits(bits) that returns the FIPS
186-4 Appendix C.3 round counts, matching the defaults OpenSSL uses
inside BN_check_prime. is_probably_prime then clamps the loop bound
to count.max(min_miller_rabin_rounds_for_bits(n.bits())). The
probabilistic loop now always executes, regardless of what checks
value the caller supplied, with a round count strong enough to keep the
false-positive probability below 2^-80. Callers that pass a larger
explicit checks still get exactly that many rounds.
Unit tests under ext/node_crypto/primes.rs cover the17,881 × 17,891 case, a larger 64-bit composite, and the FIPS lookup
table itself.
Frequently Asked Questions
- What is CVE-2026-49440? CVE-2026-49440 is a high-severity security vulnerability in deno (rust), affecting versions <= 2.8.0. It is fixed in 2.8.1.
- How severe is CVE-2026-49440? CVE-2026-49440 has a CVSS score of 7.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of deno are affected by CVE-2026-49440? deno (rust) versions <= 2.8.0 is affected.
- Is there a fix for CVE-2026-49440? Yes. CVE-2026-49440 is fixed in 2.8.1. Upgrade to this version or later.
- Is CVE-2026-49440 exploitable, and should I be worried? Whether CVE-2026-49440 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-49440 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-49440? Upgrade
denoto 2.8.1 or later.