Platform
nodejs
Component
electron
Fixed in
38.8.7
39.0.1
40.0.1
41.0.1
CVE-2026-34771 describes a use-after-free vulnerability discovered in Electron, a framework for building cross-platform desktop applications. This flaw arises when asynchronous session permission request handlers (fullscreen, pointer-lock, or keyboard-lock) are mishandled, potentially leading to crashes or memory corruption. The vulnerability impacts Electron versions 38.0.0 through 40.7.0, and 41.0.0-alpha.1 up to but not including 41.0.0-beta.8; a fix is available in version 38.8.6.
An attacker exploiting this vulnerability could potentially trigger a crash or memory corruption within an Electron application. This could lead to denial of service, or in more severe cases, allow for arbitrary code execution if the memory corruption overwrites critical data structures. The impact is particularly concerning for applications handling sensitive user data or operating with elevated privileges. While the description doesn't explicitly detail a remote exploitation path, a malicious website or application could trigger the vulnerability if it interacts with an Electron app that has a vulnerable permission handler registered. The blast radius depends on the privileges of the Electron application itself.
This CVE was published on 2026-04-03. There is no indication of active exploitation or inclusion on the CISA KEV catalog at the time of writing. Public proof-of-concept (POC) code is currently unavailable, but the use-after-free nature of the vulnerability suggests that a POC could be developed relatively easily. The vulnerability's impact is dependent on the specific implementation of permission request handlers within Electron applications.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34771 is to upgrade to Electron version 38.8.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the asynchronous session.setPermissionRequestHandler() functionality if it's not essential. Carefully review the Electron changelog for potential breaking changes before upgrading. There are no specific WAF or proxy rules that can directly address this vulnerability, as it's a code-level issue within the Electron application. Monitor Electron application logs for crashes or unexpected behavior that might indicate exploitation.
Update to a version of Electron that includes the fix, such as 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8. This update resolves a use-after-free issue that can occur when handling fullscreen, pointer-lock, or keyboard-lock permission requests, preventing potential crashes or memory corruption.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34771 is a HIGH severity vulnerability in Electron where a pending permission request handler can lead to memory corruption and crashes.
You are affected if you are using Electron versions 38.0.0–>= 41.0.0-alpha.1, < 41.0.0-beta.8 and have registered an asynchronous session.setPermissionRequestHandler().
Upgrade to Electron version 38.8.6 or later to resolve this vulnerability. Consider disabling the permission request handler if upgrading is not immediately possible.
There is currently no public information indicating active exploitation of CVE-2026-34771.
Refer to the Electron security advisories on the Electron GitHub repository for official information: https://github.com/electron/electron/security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.