Platform
nodejs
Component
electron
Fixed in
38.8.7
39.0.1
40.0.1
41.0.1
38.8.6
CVE-2026-34772 describes a use-after-free vulnerability within Electron applications. This flaw arises when a session is programmatically destroyed while a native save-file dialog is open for a download, potentially leading to crashes or memory corruption. Affected versions include those prior to 38.8.6; upgrading to a patched version is recommended.
The core impact of CVE-2026-34772 lies in the potential for memory corruption. When a session is torn down while a download save dialog is active, dismissing the dialog can trigger a use-after-free condition. This means the application attempts to access memory that has already been freed, which can result in application crashes, unexpected behavior, or, in a worst-case scenario, allow an attacker to potentially execute arbitrary code. The severity is amplified in applications that handle sensitive data or perform critical operations, as a crash could lead to data loss or denial of service. While direct remote code execution is not immediately apparent, memory corruption can be a stepping stone for more sophisticated attacks.
CVE-2026-34772 was publicly disclosed on April 3, 2026. There is no indication of active exploitation campaigns at this time. The vulnerability's impact is largely dependent on the specific application's architecture and how it handles sessions and downloads. The use-after-free nature of the vulnerability suggests a potential for exploitation, but requires careful crafting of attack vectors. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (4% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34772 is to upgrade Electron to version 38.8.6 or later. If upgrading is not immediately feasible, consider implementing workarounds to prevent the vulnerability's exploitation. Specifically, avoid destroying sessions while a download save dialog is potentially open. Implement logic to cancel any pending downloads before initiating session teardown. This can be achieved by monitoring the state of the download dialog and ensuring it is closed before the session is destroyed. Consider implementing robust error handling to catch and gracefully manage potential memory access errors.
Update to a version of Electron that includes the fix, such as 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8. Ensure you thoroughly test your application after the update to guarantee compatibility. If immediate updating is not possible, consider implementing mitigation measures to avoid destroying sessions while file save dialogs are open.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34772 is a vulnerability in Electron where dismissing a download dialog after a session is destroyed can cause memory corruption, potentially leading to crashes.
You are affected if you are using Electron versions prior to 38.8.6 and your application allows downloads and programmatically destroys user sessions.
Upgrade Electron to version 38.8.6 or later. As a temporary workaround, cancel pending downloads before session teardown.
There is currently no evidence of active exploitation of CVE-2026-34772.
Refer to the official Electron security advisories on the Electron GitHub repository for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.