Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
2.3

Chrome Parrot in uTLS Can Be Identified by Attackers

CVE-2026-27017 GHSA-7m29-f4hw-g2vx
Summary

A bug in Chrome's behavior within uTLS can reveal a user's browser type to attackers, even when they're trying to hide it. This happens when using a specific encryption method called GREASE ECH. To protect yourself, consider updating uTLS or taking other security measures to minimize the risk.

What to do
  • Update github.com refraction-networking to version 1.8.1.
Affected software
VendorProductAffected versionsFix available
github.com refraction-networking > 1.6.0 , <= 1.8.1 1.8.1
refraction-networking utls > 1.6.0 , <= 1.8.1 –
Original title
uTLS has a fingerprint vulnerability from GREASE ECH mismatch for Chrome parrots
Original description
There is a fingerprint mismatch with Chrome when using GREASE ECH, having to do with ciphersuite selection. When Chrome selects the preferred ciphersuite in the outer ClientHello and the ciphersuite for ECH, it does so consistently based on hardware support. That means, for example, if it prefers AES for the outer ciphersuite, it would also use AES for ECH. The Chrome parrot in utls hardcodes AES preference for outer ciphersuites but selects the ECH ciphersuite randomly between AES and ChaCha20. So there is a 50% chance of selecting ChaCha20 for ECH while using AES for the outer ciphersuite, which is impossible in Chrome.

This is only a problem in GREASE ECH, since in real ECH Chrome selects the first valid ciphersuite when AES is preferred, which is the same in utls. So no change is done there.

Affected symbols: `HelloChrome_120`, `HelloChrome_120_PQ`, `HelloChrome_131`, `HelloChrome_133`

Fix commit: 24bd1e05a788c1add7f3037f4532ea552b2cee07

Thanks to telegram @acgdaily for reporting this issue.
nvd CVSS3.1 5.3
nvd CVSS4.0 2.3
Vulnerability type
CWE-1240
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026