Description
uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. Versions 1.6.0 through 1.8.0 contain a fingerprint mismatch with Chrome when using GREASE ECH, related to cipher suite selection. When Chrome selects the preferred cipher suite in the outer ClientHello and for ECH, it does so consistently based on hardware support—for example, if it prefers AES for the outer cipher suite, it also uses AES for ECH. However, the Chrome parrot in uTLS hardcodes AES preference for outer cipher suites but selects the ECH cipher suite randomly between AES and ChaCha20. This creates a 50% chance of selecting ChaCha20 for ECH while using AES for the outer cipher suite, a combination impossible in Chrome. This issue only affects GREASE ECH; in real ECH, Chrome selects the first valid cipher suite when AES is preferred, which uTLS handles correctly. This issue has been fixed in version 1.8.1.
Published: 2026-02-20
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Fingerprinting
Action: Update
AI Analysis

Impact

The vulnerability stems from a mismatch in cipher suite selection in the uTLS library when GREASE ECH is used with the Chrome parrot implementation. uTLS hardcodes an AES preference for the outer ClientHello but selects the ECH cipher suite randomly between AES and ChaCha20. This yields a 50% chance of sending an outer AES cipher suite paired with an inner ChaCha20 suite, a combination that Chrome will never generate. The resulting fingerprint discrepancy allows observers to distinguish traffic that uses the vulnerable uTLS version from genuine Chrome traffic, exposing the use of the library.

Affected Systems

Affected products are the refraction-networking uTLS library, specifically all releases from 1.6.0 through 1.8.0. The breach impacts any application that incorporates this library to customize TLS handshakes, such as proxies, load balancers, or custom clients that target Chrome fingerprint resistance. No operating system or external components are involved; the issue is confined to the TLS implementation within the library.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity, and the EPSS probability is below 1%, with no entry in CISA’s KEV catalog. Because the flaw only reveals a fingerprinting signature, there is no direct path to compromise confidentiality, integrity, or availability, and the attack requires that the adversary observe the TLS traffic. Consequently, the risk is minimal – a user‑facing privacy concern rather than a critical security vulnerability. Mitigation involves applying the official fix, but alternatives are available for immediate use.

Generated by OpenCVE AI on April 17, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the refraction-networking uTLS library to version 1.8.1 or later.
  • If an upgrade is not possible, configure the library to avoid using GREASE ECH; disabling GREASE ECH removes the mismatch, restoring fingerprint consistency.
  • If disabling GREASE ECH is not feasible, or a temporary solution is needed, consider using an alternative TLS library that correctly implements ECH and preserves fingerprint integrity.

Generated by OpenCVE AI on April 17, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7m29-f4hw-g2vx uTLS has a fingerprint vulnerability from GREASE ECH mismatch for Chrome parrots
History

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:refraction-networking:utls:*:*:*:*:*:go:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Refraction-networking
Refraction-networking utls
Vendors & Products Refraction-networking
Refraction-networking utls

Fri, 20 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Description uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. Versions 1.6.0 through 1.8.0 contain a fingerprint mismatch with Chrome when using GREASE ECH, related to cipher suite selection. When Chrome selects the preferred cipher suite in the outer ClientHello and for ECH, it does so consistently based on hardware support—for example, if it prefers AES for the outer cipher suite, it also uses AES for ECH. However, the Chrome parrot in uTLS hardcodes AES preference for outer cipher suites but selects the ECH cipher suite randomly between AES and ChaCha20. This creates a 50% chance of selecting ChaCha20 for ECH while using AES for the outer cipher suite, a combination impossible in Chrome. This issue only affects GREASE ECH; in real ECH, Chrome selects the first valid cipher suite when AES is preferred, which uTLS handles correctly. This issue has been fixed in version 1.8.1.
Title uTLS has a Chrome Parrot Fingerprint Vulnerability due to GREASE ECH Cipher Suite Mismatch
Weaknesses CWE-1240
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Refraction-networking Utls
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T15:20:18.976Z

Reserved: 2026-02-17T03:08:23.490Z

Link: CVE-2026-27017

cve-icon Vulnrichment

Updated: 2026-02-20T15:20:12.740Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T03:16:01.797

Modified: 2026-02-20T19:09:30.593

Link: CVE-2026-27017

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:45:24Z

Weaknesses