CVE-2026-26995

CVSS v4.0

2.3

Low

Vector

AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Chrome versions prior to the fix commit 8fe0b08e9a0e7e2d08b268f451f2c79962e6acd0

Description An incorrect removal of padding extension in utls for the non-pq variant of the HelloChrome 120 fingerprint. Chrome only removed this extension when sending pq keyshares, affecting only this fingerprint as newer fingerprints have pq keyshares by default and older fingerprints have this extension.

Recommendations Apply the fix commit 8fe0b08e9a0e7e2d08b268f451f2c79962e6acd0.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2026-26995

GHSA-RRXV-PMQ9-X67R

GO-2026-4512

SUSE-SU-2026:0757-1

Affected Products

Google Chrome

CVE-2026-26995

Weakness Enumeration

Related Identifiers

Affected Products

References · 113