CVE-2026-27017

CVSS v4.0

2.3

Vector

AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions uTLS versions 1.6.0 through 1.8.0

Description uTLS is a customized version of crypto/tls designed for fingerprinting resistance during the handshake process. Versions 1.6.0 through 1.8.0 exhibit a fingerprint mismatch with Chrome when utilizing GREASE ECH due to inconsistencies in cipher suite selection. Specifically, Chrome consistently bases its cipher suite choices on hardware support—preferring AES for both the outer cipher suite and ECH if AES is preferred. However, uTLS’s implementation hardcodes an AES preference for outer cipher suites but randomly selects between AES and ChaCha20 for ECH. This can result in a combination of AES for the outer suite and ChaCha20 for ECH, which is not possible in Chrome. This issue is limited to GREASE ECH and does not affect standard ECH configurations, as uTLS correctly handles the first valid cipher suite when AES is preferred in those cases.

Recommendations Update to uTLS version 1.8.1 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1240

Related Identifiers

CVE-2026-27017

Affected Products

Google Chrome

Utls

CVE-2026-27017

Weakness Enumeration

Related Identifiers

Affected Products

References · 2