Low severityNVD Advisory· Published Feb 20, 2026· Updated Feb 20, 2026

uTLS has a Chrome Parrot Fingerprint Vulnerability due to GREASE ECH Cipher Suite Mismatch

CVE-2026-27017

Description

uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. Versions 1.6.0 through 1.8.0 contain a fingerprint mismatch with Chrome when using GREASE ECH, related to cipher suite selection. When Chrome selects the preferred cipher suite in the outer ClientHello and for ECH, it does so consistently based on hardware support—for example, if it prefers AES for the outer cipher suite, it also uses AES for ECH. However, the Chrome parrot in uTLS hardcodes AES preference for outer cipher suites but selects the ECH cipher suite randomly between AES and ChaCha20. This creates a 50% chance of selecting ChaCha20 for ECH while using AES for the outer cipher suite, a combination impossible in Chrome. This issue only affects GREASE ECH; in real ECH, Chrome selects the first valid cipher suite when AES is preferred, which uTLS handles correctly. This issue has been fixed in version 1.8.1.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/refraction-networking/utlsGo	>= 1.6.0, < 1.8.1	1.8.1

Affected products

Refraction Networking/Utlsv5
Range: >= 1.6.0, < 1.8.1

Patches

24bd1e05a788

fix: use AES in GREASE ECH for Chrome fingerprint

https://github.com/refraction-networking/utlsMingye ChenOct 10, 2025via ghsa

commit

1 file changed · +0 −4

u_ech.go+0 −4 modified

@@ -300,10 +300,6 @@ func BoringGREASEECH() *GREASEEncryptedClientHelloExtension {
 				KdfId:  dicttls.HKDF_SHA256,
 				AeadId: dicttls.AEAD_AES_128_GCM,
 			},
-			{
-				KdfId:  dicttls.HKDF_SHA256,
-				AeadId: dicttls.AEAD_CHACHA20_POLY1305,
-			},
 		},
 		CandidatePayloadLens: []uint16{128, 160, 192, 224}, // +16: 144, 176, 208, 240
 	}

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-7m29-f4hw-g2vxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-27017ghsaADVISORY
github.com/refraction-networking/utls/commit/24bd1e05a788c1add7f3037f4532ea552b2cee07ghsaWEB
github.com/refraction-networking/utls/releases/tag/v1.8.1ghsaWEB
github.com/refraction-networking/utls/security/advisories/GHSA-7m29-f4hw-g2vxghsax_refsource_CONFIRMWEB
pkg.go.dev/vuln/GO-2026-4509ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000