CVE-2026-34770: Electron Use-After-Free in powerMonitor (≤38.8.6)
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34770 describes a use-after-free vulnerability within the `powerMonitor` module of Electron. This flaw can lead to crashes or memory corruption due to dangling references after the native `PowerMonitor` object is garbage-collected. Applications utilizing `powerMonitor` events such as `suspend`, `resume`, and `lock-screen` are potentially affected in Electron versions up to and including 38.8.6. Currently, there is no official patch available to address this vulnerability.
How to fix
Actualice a una versión de Electron que incluya la corrección, como 38.8.6, 39.8.1, 40.8.0 o 41.0.0-beta.8. Esta actualización aborda el problema de uso posterior a la liberación al gestionar correctamente los recursos del sistema operativo después de que se recolecten los objetos PowerMonitor.
Frequently asked questions
What is CVE-2026-34770?
CVE-2026-34770 is a use-after-free vulnerability in Electron's `powerMonitor` module. It occurs when the native `PowerMonitor` object is garbage-collected, leaving dangling references that can lead to crashes or memory corruption.
Am I affected by CVE-2026-34770?
You are potentially affected if your Electron application uses the `powerMonitor` module and its events (like `suspend`, `resume`, `lock-screen`) and is running on Electron version 38.8.6 or earlier.
How can I fix or mitigate CVE-2026-34770?
Currently, there is no official patch available for CVE-2026-34770. Monitor Electron's security advisories for updates and potential workarounds.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free