Low severityNVD Advisory· Updated Feb 20, 2026

CVE-2026-26995

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/refraction-networking/utlsGo	>= 1.6.0, < 1.8.2	1.8.2

Patches

8fe0b08e9a0e

fix: add missing padding extension for chrome 120

https://github.com/refraction-networking/utlsMingye ChenJan 12, 2026via ghsa

commit

1 file changed · +1 −0

u_parrots.go+1 −0 modified

@@ -731,6 +731,7 @@ func utlsIdToSpec(id ClientHelloID) (ClientHelloSpec, error) {
 				&ApplicationSettingsExtension{SupportedProtocols: []string{"h2"}},
 				BoringGREASEECH(),
 				&UtlsGREASEExtension{},
+				&UtlsPaddingExtension{GetPaddingLen: BoringPaddingStyle},
 			}),
 		}, nil
 	// Chrome w/ Post-Quantum Key Agreement and ECH

Vulnerability mechanics

Not enough inputs (no patches or CWE) to synthesize mechanics for this CVE.

References

github.com/advisories/GHSA-rrxv-pmq9-x67rghsaADVISORY
github.com/refraction-networking/utls/commit/8fe0b08e9a0e7e2d08b268f451f2c79962e6acd0ghsaWEB
github.com/refraction-networking/utls/security/advisories/GHSA-rrxv-pmq9-x67rghsaWEB
pkg.go.dev/vuln/GO-2026-4512ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000