Platform
nodejs
Component
electron
Fixed in
38.8.7
39.0.1
40.0.1
41.0.1
CVE-2026-34770 describes a use-after-free vulnerability within the powerMonitor module of Electron. This flaw can lead to crashes or memory corruption due to dangling references after the native PowerMonitor object is garbage-collected. Applications utilizing powerMonitor events such as suspend, resume, and lock-screen are potentially affected in Electron versions up to and including 38.8.6. Currently, there is no official patch available to address this vulnerability.
CVE-2026-34770 in Electron affects versions prior to 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, presenting a 'use-after-free' vulnerability when utilizing the powerMonitor module. This occurs because after the native PowerMonitor object is garbage collected, associated operating system-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) can trigger unpredictable behavior, potentially allowing an attacker to execute arbitrary code or cause a denial-of-service. The severity is rated as CVSS 7.0, indicating a moderate risk.
Exploitation of this vulnerability requires an attacker to be able to trigger a session-change event (on Windows) or a system shutdown (on macOS) after the PowerMonitor object has been garbage collected. This could be achieved by manipulating the operating system or by executing malicious code within the Electron application. The difficulty of exploitation depends on the attacker's ability to control system event flow. While exploitation may be complex, the potential impact (arbitrary code execution) justifies applying the fix.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The solution to this vulnerability is to upgrade to Electron version 38.8.6 or higher, 39.8.1 or higher, 40.8.0 or higher, or 41.0.0-beta.8 or higher. These versions include fixes that eliminate the dangling references and prevent the use-after-free. Developers using Electron are strongly encouraged to update their applications as soon as possible to mitigate this risk. Additionally, review your code to ensure the powerMonitor module is being used securely and that unnecessary references are not being created. Applying security patches is an essential practice for maintaining Electron application security.
Actualice a una versión de Electron que incluya la corrección, como 38.8.6, 39.8.1, 40.8.0 o 41.0.0-beta.8. Esta actualización aborda el problema de uso posterior a la liberación al gestionar correctamente los recursos del sistema operativo después de que se recolecten mediante el recolector de basura.
Vulnerability analysis and critical alerts directly to your inbox.
It's an error that occurs when a program attempts to access memory that has already been freed, which can lead to unpredictable behavior or a security vulnerability.
It's an Electron module that allows applications to monitor and respond to system power-related events, such as battery changes or system shutdown.
You can check the Electron version by running electron --version in your terminal.
If you cannot update immediately, consider implementing temporary mitigation measures, such as limiting the use of the powerMonitor module or implementing additional checks to prevent access to freed memory.
Yes, there are static and dynamic analysis tools that can help detect 'use-after-free' vulnerabilities in Electron code.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.