CVE-2026-26995
February 19, 2026
The padding extension was incorrectly removed in utls for the non-pq variant of Chrome 120 fingerprint. Chrome removed this extension only when sending pq keyshares. Only this fingerprint is affected since newer fingerprints have pq keyshares by default and older fingerprints have this extension. Affected symbols: "HelloChrome_120" Fix commit: 8fe0b08e9a0e7e2d08b268f451f2c79962e6acd0 Thanks to telegram @acgdaily for reporting this issue.
Affected Packages
https://github.com/refraction-networking/utls.git (GITHUB):
Affected version(s) >=v1.6.0 <v1.8.2Fix Suggestion:
Update to version v1.8.2github.com/refraction-networking/utls (GO):
Affected version(s) >=v1.6.0 <v1.8.2Fix Suggestion:
Update to version v1.8.2Related Resources (3)
Do you need more information?
Contact UsCVSS v4
Base Score:
2.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.1
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Exposure of Sensitive Information to an Unauthorized Actor
