Is github.com/refraction-networking/utls affected by CVE-2026-27017?

Go github.com/refraction-networking/utls is affected in >=1.6.0 <1.8.1.

Is CVE-2026-27017 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

medium

CVE-2026-27017

Q: Is CVE-2026-27017 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.2%.

Go · github.com/refraction-networking/utls

Summary

Fingerprint vulnerability in uTLS from GREASE ECH mismatch for Chrome parrots in github.com/refraction-networking/utls

Severity: medium
EPSS: 0.2% (p5)
Also known as: GHSA-7m29-f4hw-g2vx, GO-2026-4509
Published: 2026-02-24

References

https://github.com/refraction-networking/utls/security/advisories/GHSA-7m29-f4hw-g2vx
https://github.com/refraction-networking/utls/commit/24bd1e05a788c1add7f3037f4532ea552b2cee07
https://github.com/refraction-networking/utls/releases/tag/v1.8.1

Related advisories

CVE-2026-26995 — medium · Go/github.com/refraction-networking/utls

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.