CVE-2026-34772: Electron Use-After-Free in Download Handling
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34772 is a use-after-free vulnerability in Electron. This flaw can occur when an application destroys a session while a native save-file dialog is open for a download, potentially leading to a crash or memory corruption due to dereferencing freed memory. This affects Electron versions up to and including 38.8.6. The vulnerability is fixed in versions 41.0.0-beta.7, 40.7.0, 39.8.0, and 38.8.6.
How to fix
Actualice a una versión de Electron que incluya la corrección, como 38.8.6, 39.8.0, 40.7.0 o 41.0.0-beta.8. Asegúrese de probar exhaustivamente su aplicación después de la actualización para garantizar la compatibilidad. Si no es posible actualizar inmediatamente, considere implementar medidas de mitigación para evitar la destrucción de sesiones mientras se abren diálogos de guardado de archivos.
Frequently asked questions
What is CVE-2026-34772?
CVE-2026-34772 is a use-after-free vulnerability in Electron that occurs when a session is torn down while a native save-file dialog is open for a download, potentially leading to crashes or memory corruption.
Am I affected by CVE-2026-34772?
You are potentially affected if you are using Electron version 38.8.6 or earlier and your application allows downloads and programmatically destroys sessions. Apps that don't destroy sessions or permit downloads are not affected.
How do I fix CVE-2026-34772?
Upgrade to Electron version 41.0.0-beta.7, 40.7.0, 39.8.0, or 38.8.6 or later. As a workaround, avoid destroying sessions while a download save dialog may be open, or cancel pending downloads before session teardown.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free