Description
uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a uTLS ClientHello spec. This allowed an active network adversary to downgrade TLS 1.3 connections initiated by a uTLS client to a lower TLS version (e.g., TLS 1.2) by modifying the ClientHello message to exclude the SupportedVersions extension, causing the server to respond with a TLS 1.2 ServerHello (along with a downgrade canary in the ServerHello random field). Because uTLS did not check the downgrade canary in the ServerHello random field, clients would accept the downgraded connection without detecting the attack. This attack could also be used by an active network attacker to fingerprint uTLS connections. This issue has been fixed in version 1.7.0.
Published: 2026-02-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: TLS 1.3 downgrade without downgrade canary verification
Action: Patch Immediately
AI Analysis

Impact

uTLS, a fork of Go’s crypto/tls, does not validate the downgrade canary in the ServerHello random field for TLS 1.3 handshakes. An active attacker can modify the ClientHello to omit the SupportedVersions extension, leading the server to reply with a TLS 1.2 ServerHello that contains a downgrade canary. Because uTLS does not check this canary, the client accepts the downgraded session, allowing a man‑in‑the‑middle to impersonate the server or perform fingerprinting of uTLS traffic. This flaw is a data integrity and authentication weakness identified by CWE‑693.

Affected Systems

The vulnerability affects the refraction‑networking uTLS library in versions 1.6.7 and earlier. No other vendors or products are currently listed.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The flaw is not present in the CISA KEV catalog. An attacker would need a position on the network path to alter the ClientHello, so an uncontrolled remote exploit is unlikely, yet the potential to downgrade TLS 1.3 to TLS 1.2 poses a significant risk to confidentiality and integrity for communications that rely on uTLS.

Generated by OpenCVE AI on April 17, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uTLS to version 1.7.0 or newer.
  • If an upgrade is not immediately possible, disable or replace uTLS usage for sensitive connections and enforce TLS 1.3 with the standard library.
  • Monitor for anomalous ClientHello messages and apply network controls to block or alert on potential downgrade attempts.

Generated by OpenCVE AI on April 17, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pmc3-p9hx-jq96 uTLS ServerHellos are accepted without checking TLS 1.3 downgrade canaries
History

Fri, 20 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:refraction-networking:utls:*:*:*:*:*:go:*:*

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Refraction-networking
Refraction-networking utls
Vendors & Products Refraction-networking
Refraction-networking utls

Fri, 20 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a uTLS ClientHello spec. This allowed an active network adversary to downgrade TLS 1.3 connections initiated by a uTLS client to a lower TLS version (e.g., TLS 1.2) by modifying the ClientHello message to exclude the SupportedVersions extension, causing the server to respond with a TLS 1.2 ServerHello (along with a downgrade canary in the ServerHello random field). Because uTLS did not check the downgrade canary in the ServerHello random field, clients would accept the downgraded connection without detecting the attack. This attack could also be used by an active network attacker to fingerprint uTLS connections. This issue has been fixed in version 1.7.0.
Title uTLS ServerHellos are accepted without checking TLS 1.3 downgrade canaries
Weaknesses CWE-693
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Refraction-networking Utls
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:12:28.142Z

Reserved: 2026-02-17T01:41:24.607Z

Link: CVE-2026-26994

cve-icon Vulnrichment

Updated: 2026-02-20T15:12:20.379Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T03:16:01.330

Modified: 2026-02-20T19:20:00.740

Link: CVE-2026-26994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses