← Back

CVE-2026-34776

nvd nist
Published: Apr 4, 2026Modified: Apr 27, 2026

JSON object

Loading...
5.3
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Exploitability: 3.9 / Impact: 1.4
Source: NVD

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, on macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler. This issue is limited to processes running as the same user as the Electron app. Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.

Affected (17)

Products: Electronjs: Electron
Electronjs
1 product
Electron
Configuration A
17 vulnerable
Vulnerable SoftwareAffected Versions
Electronjs
Electron
Before 38.8.6
Electron
From 39.0.0 to 39.8.1
Electron
From 40.0.0 to 40.8.1
Electron
Version 41.0.0 alpha1
Electron
Version 41.0.0 alpha2
Electron
Version 41.0.0 alpha3
Electron
Version 41.0.0 alpha4
Electron
Version 41.0.0 alpha5
Electron
Version 41.0.0 alpha6
Electron
Version 41.0.0 beta1
Electron
Version 41.0.0 beta2
Electron
Version 41.0.0 beta3
Electron
Version 41.0.0 beta4
Electron
Version 41.0.0 beta5
Electron
Version 41.0.0 beta6
Electron
Version 41.0.0 beta7
Electron
Version 41.0.0 beta8

Related CWEs

CWE-125
Out-of-bounds Read
The product reads data past the end, or before the beginning, of the intended buffer.

References (1)

Source: security-advisories@github.com
Vendor Advisory

Timeline

No history available yet.