CVE-2026-34771: Electron Use-After-Free in Permission Handling
Plattform
nodejs
Komponente
electron
Behoben in
38.8.6
CVE-2026-34771 describes a use-after-free vulnerability affecting Electron applications. Specifically, apps utilizing asynchronous `session.setPermissionRequestHandler()` are susceptible when handling fullscreen, pointer-lock, or keyboard-lock permission requests. This flaw, present in Electron versions up to and including 38.8.6, can lead to crashes or memory corruption. Responding to permission requests synchronously can mitigate the risk; a full patch is not yet available.
So beheben
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Häufig gestellte Fragen
What is CVE-2026-34771?
CVE-2026-34771 is a use-after-free vulnerability in Electron's permission request handling. It occurs when an asynchronous permission request handler attempts to access freed memory, potentially leading to crashes or memory corruption.
Am I affected by CVE-2026-34771?
You are affected if your Electron application uses an asynchronous `session.setPermissionRequestHandler()` and handles fullscreen, pointer-lock, or keyboard-lock permissions. Electron versions up to and including 38.8.6 are vulnerable.
How do I fix or mitigate CVE-2026-34771?
To mitigate this vulnerability, respond to permission requests synchronously. Alternatively, deny fullscreen, pointer-lock, and keyboard-lock permissions. A full patch is not yet available.
Abhängigkeiten automatisch überwachen
Werde benachrichtigt, wenn neue Schwachstellen deine Projekte betreffen. Für immer kostenlos.
Kostenlos starten