CVE-2026-27017

Name of the Vulnerable Software and Affected Versions uTLS versions 1.6.0 through 1.8.0

Description uTLS is a customized version of crypto/tls designed for fingerprinting resistance during the handshake process. Versions 1.6.0 through 1.8.0 exhibit a fingerprint mismatch with Chrome when utilizing GREASE ECH due to inconsistencies in cipher suite selection. Specifically, Chrome consistently bases its cipher suite choices on hardware support—preferring AES for both the outer cipher suite and ECH if AES is preferred. However, uTLS’s implementation hardcodes an AES preference for outer cipher suites but randomly selects between AES and ChaCha20 for ECH. This can result in a combination of AES for the outer suite and ChaCha20 for ECH, which is not possible in Chrome. This issue is limited to GREASE ECH and does not affect standard ECH configurations, as uTLS correctly handles the first valid cipher suite when AES is preferred in those cases.

Recommendations Update to uTLS version 1.8.1 or later.