CVE-2026-34776: Electron OOB Read in requestSingleInstanceLock
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34776 is an out-of-bounds heap read vulnerability affecting Electron applications on macOS and Linux. Specifically, apps using `app.requestSingleInstanceLock()` are susceptible when parsing maliciously crafted second-instance messages, potentially leaking memory to the `second-instance` event handler. This issue impacts Electron versions up to and including 38.8.6. Patched versions 40.8.1 and 41.0.0 resolve this vulnerability.
How to fix
Actualice a una versión de Electron que incluya la corrección, como 38.8.6, 39.8.1, 40.8.1 o 41.0.0. Esta actualización aborda una vulnerabilidad de lectura fuera de límites en el manejo de mensajes de segunda instancia, previniendo la posible fuga de memoria a aplicaciones que utilizan `app.requestSingleInstanceLock()`.
Frequently asked questions
What is CVE-2026-34776?
CVE-2026-34776 is an out-of-bounds heap read vulnerability in Electron that occurs when parsing crafted second-instance messages when using `app.requestSingleInstanceLock()` on macOS and Linux.
Am I affected by CVE-2026-34776?
You are affected if your Electron application on macOS or Linux calls `app.requestSingleInstanceLock()` and uses a version less than or equal to 38.8.6. Windows applications are not affected.
How do I fix CVE-2026-34776?
To fix CVE-2026-34776, upgrade your Electron application to version 40.8.1 or 41.0.0 or later. There are no application-side workarounds available.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free