CVE-2026-34771: Electron Use-After-Free Vulnerability (≤38.8.6)
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34771 describes a use-after-free vulnerability affecting Electron applications. This flaw occurs when handling fullscreen, pointer-lock, or keyboard-lock permission requests asynchronously, potentially leading to crashes or memory corruption. Apps using Electron versions up to 38.8.6 are affected if they register an asynchronous `session.setPermissionRequestHandler()`. Responding to permission requests synchronously can mitigate the risk; a full patch is not yet available.
How to fix
Actualice a una versión de Electron que incluya la corrección, como 38.8.6, 39.8.0, 40.7.0 o 41.0.0-beta.8. Esta actualización soluciona un problema de uso después de liberar memoria que podría causar fallos o corrupción de memoria al manejar solicitudes de permisos de pantalla completa, bloqueo de puntero o bloqueo de teclado.
Frequently asked questions
What is CVE-2026-34771?
CVE-2026-34771 is a use-after-free vulnerability in Electron that can occur when handling permission requests asynchronously, potentially leading to crashes or memory corruption.
Am I affected by CVE-2026-34771?
You are affected if you are using Electron version 38.8.6 or earlier and your application registers an asynchronous `session.setPermissionRequestHandler()`.
How do I fix or mitigate CVE-2026-34771?
To mitigate this vulnerability, respond to permission requests synchronously. A full patch addressing this issue is not yet available.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free