What is CVE-2026-26994?

CVE-2026-26994 is a medium-severity vulnerability in Refraction-networking Utls, classified under Protection Mechanism Failure. CVSS score: 6.5/10. Published 2026-02-20.

How severe is CVE-2026-26994?

Medium severity. CVSS v3 base score is 6.5 out of 10.

Vulnerability in Refraction-networking Utls

CVE-2026-26994

uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified i…

EPSS: 0.000 (3.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.5 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N.

Affected products

Refraction-networking Utls — versions < 1.7.0

Weakness classification (CWE)

CWE-693 — Protection Mechanism Failure

References

https://github.com/refraction-networking/utls/security/advisories/GHSA-pmc3-p9hx-jq96 (x_refsource_CONFIRM)
https://github.com/refraction-networking/utls/issues/181 (x_refsource_MISC)
https://github.com/refraction-networking/utls/pull/337 (x_refsource_MISC)
https://github.com/refraction-networking/utls/commit/f8892761e2a4d29054264651d3a86fda83bc83f9 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-26994?: CVE-2026-26994 is a medium-severity vulnerability in Refraction-networking Utls, classified under Protection Mechanism Failure. CVSS score: 6.5/10. Published 2026-02-20.
How severe is CVE-2026-26994?: Medium severity. CVSS v3 base score is 6.5 out of 10.