TROYANOSYVIRUS
Retour aux CVEs

CVE-2026-26994

MEDIUM
6.5

Description

uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a uTLS ClientHello spec. This allowed an active network adversary to downgrade TLS 1.3 connections initiated by a uTLS client to a lower TLS version (e.g., TLS 1.2) by modifying the ClientHello message to exclude the SupportedVersions extension, causing the server to respond with a TLS 1.2 ServerHello (along with a downgrade canary in the ServerHello random field). Because uTLS did not check the downgrade canary in the ServerHello random field, clients would accept the downgraded connection without detecting the attack. This attack could also be used by an active network attacker to fingerprint uTLS connections. This issue has been fixed in version 1.7.0.

Details CVE

Score CVSS v3.16.5
SeveriteMEDIUM
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie2/20/2026
Derniere modification2/20/2026
Sourcenvd
Observations honeypot0

Produits affectes

refraction-networking:utls

Faiblesses (CWE)

CWE-693

References

https://github.com/refraction-networking/utls/commit/f8892761e2a4d29054264651d3a86fda83bc83f9(security-advisories@github.com)
https://github.com/refraction-networking/utls/issues/181(security-advisories@github.com)
https://github.com/refraction-networking/utls/pull/337(security-advisories@github.com)
https://github.com/refraction-networking/utls/security/advisories/GHSA-pmc3-p9hx-jq96(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.