GHSA-7M29-F4HW-G2VX

Vulnerability from github – Published: 2026-02-18 22:33 – Updated: 2026-02-27 20:37
VLAI?
Summary
uTLS has a fingerprint vulnerability from GREASE ECH mismatch for Chrome parrots
Details

There is a fingerprint mismatch with Chrome when using GREASE ECH, having to do with ciphersuite selection. When Chrome selects the preferred ciphersuite in the outer ClientHello and the ciphersuite for ECH, it does so consistently based on hardware support. That means, for example, if it prefers AES for the outer ciphersuite, it would also use AES for ECH. The Chrome parrot in utls hardcodes AES preference for outer ciphersuites but selects the ECH ciphersuite randomly between AES and ChaCha20. So there is a 50% chance of selecting ChaCha20 for ECH while using AES for the outer ciphersuite, which is impossible in Chrome.

This is only a problem in GREASE ECH, since in real ECH Chrome selects the first valid ciphersuite when AES is preferred, which is the same in utls. So no change is done there.

Affected symbols: HelloChrome_120, HelloChrome_120_PQ, HelloChrome_131, HelloChrome_133

Fix commit: 24bd1e05a788c1add7f3037f4532ea552b2cee07

Thanks to telegram @acgdaily for reporting this issue.

Severity ?
2.3 (Low)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/refraction-networking/utls"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.6.0"
            },
            {
              "fixed": "1.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-27017"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1240"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-18T22:33:18Z",
    "nvd_published_at": "2026-02-20T03:16:01Z",
    "severity": "LOW"
  },
  "details": "There is a fingerprint mismatch with Chrome when using GREASE ECH, having to do with ciphersuite selection. When Chrome selects the preferred ciphersuite in the outer ClientHello and the ciphersuite for ECH, it does so consistently based on hardware support. That means, for example, if it prefers AES for the outer ciphersuite, it would also use AES for ECH. The Chrome parrot in utls hardcodes AES preference for outer ciphersuites but selects the ECH ciphersuite randomly between AES and ChaCha20. So there is a 50% chance of selecting ChaCha20 for ECH while using AES for the outer ciphersuite, which is impossible in Chrome.\n\nThis is only a problem in GREASE ECH, since in real ECH Chrome selects the first valid ciphersuite when AES is preferred, which is the same in utls. So no change is done there.\n\nAffected symbols: `HelloChrome_120`, `HelloChrome_120_PQ`, `HelloChrome_131`, `HelloChrome_133`\n\nFix commit: 24bd1e05a788c1add7f3037f4532ea552b2cee07\n\nThanks to telegram @acgdaily for reporting this issue.",
  "id": "GHSA-7m29-f4hw-g2vx",
  "modified": "2026-02-27T20:37:32Z",
  "published": "2026-02-18T22:33:18Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/refraction-networking/utls/security/advisories/GHSA-7m29-f4hw-g2vx"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27017"
    },
    {
      "type": "WEB",
      "url": "https://github.com/refraction-networking/utls/commit/24bd1e05a788c1add7f3037f4532ea552b2cee07"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/refraction-networking/utls"
    },
    {
      "type": "WEB",
      "url": "https://github.com/refraction-networking/utls/releases/tag/v1.8.1"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2026-4509"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "uTLS has a fingerprint vulnerability from GREASE ECH mismatch for Chrome parrots"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.