CVE-2026-34772: Electron Use-After-Free in Download Handling
Plattform
nodejs
Komponente
electron
Behoben in
38.8.6
CVE-2026-34772 describes a use-after-free vulnerability within Electron applications. Specifically, apps that permit downloads and programmatically destroy sessions are susceptible. If a session is terminated while a native save-file dialog is active for a download, dismissing the dialog may dereference freed memory, potentially leading to a crash or memory corruption. This affects Electron versions up to and including 38.8.6. The vulnerability is fixed in versions 41.0.0-beta.7, 40.7.0, 39.8.0, and 38.8.6.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-34772?
CVE-2026-34772 is a use-after-free vulnerability in Electron. It occurs when a session is torn down while a native save-file dialog is open for a download, potentially leading to crashes or memory corruption.
Am I affected by CVE-2026-34772?
You are affected if your Electron application allows downloads and destroys sessions at runtime, and is running a version less than or equal to 38.8.6. Apps that do not destroy sessions or permit downloads are not affected.
How do I fix CVE-2026-34772?
Upgrade to Electron version 41.0.0-beta.7, 40.7.0, 39.8.0, or 38.8.6 or later. As a workaround, avoid destroying sessions while a download save dialog may be open, or cancel pending downloads before session teardown.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten