diff --git a/defaults.go b/defaults.go
index df64def..ef1a613 100644
--- a/defaults.go
+++ b/defaults.go
@@ -7,6 +7,7 @@ package tls
 import (
 	"internal/godebug"
 	"slices"
+	_ "unsafe" // for linkname
 )
 
 // Defaults are collected in this file to allow distributions to more easily patch
@@ -56,12 +57,31 @@ func defaultCipherSuites() []uint16 {
 // defaultCipherSuitesTLS13 is also the preference order, since there are no
 // disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as
 // cipherSuitesPreferenceOrder applies.
+//
+// defaultCipherSuitesTLS13 should be an internal detail,
+// but widely used packages access it using linkname.
+// Notable members of the hall of shame include:
+//   - github.com/quic-go/quic-go
+//
+// Do not remove or change the type signature.
+// See go.dev/issue/67401.
+//
+//go:linkname defaultCipherSuitesTLS13
 var defaultCipherSuitesTLS13 = []uint16{
 	TLS_AES_128_GCM_SHA256,
 	TLS_AES_256_GCM_SHA384,
 	TLS_CHACHA20_POLY1305_SHA256,
 }
 
+// defaultCipherSuitesTLS13NoAES should be an internal detail,
+// but widely used packages access it using linkname.
+// Notable members of the hall of shame include:
+//   - github.com/quic-go/quic-go
+//
+// Do not remove or change the type signature.
+// See go.dev/issue/67401.
+//
+//go:linkname defaultCipherSuitesTLS13NoAES
 var defaultCipherSuitesTLS13NoAES = []uint16{
 	TLS_CHACHA20_POLY1305_SHA256,
 	TLS_AES_128_GCM_SHA256,