Platform
nodejs
Component
electron
Fixed in
39.8.6
40.0.1
41.0.1
42.0.1
39.8.5
CVE-2026-34781 describes a denial-of-service vulnerability within Electron applications. This vulnerability arises when apps attempt to read image data from the system clipboard using clipboard.readImage() and encounter invalid image formats. The resulting crash can disrupt application functionality and potentially impact user experience. Affected versions are those prior to Electron 39.8.5; upgrading to this version resolves the issue.
The primary impact of CVE-2026-34781 is a denial-of-service (DoS). An attacker could craft a malicious image and place it in the system clipboard. When an Electron application calls clipboard.readImage() to retrieve this image, the application will crash due to the invalid image data. This crash prevents the application from continuing its normal operation, effectively denying service to the user. While this vulnerability does not allow for memory corruption or code execution, it can still be disruptive, especially in critical applications. The attacker does not need to interact with the application directly; simply populating the clipboard with a crafted image is sufficient to trigger the vulnerability.
CVE-2026-34781 is not currently listed on the CISA KEV catalog. The EPSS score is likely low, given the lack of public exploitation and the limited impact (DoS only). No public proof-of-concept (PoC) exploits have been observed at the time of writing. The vulnerability was disclosed on 2026-04-07.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34781 is to upgrade Electron applications to version 39.8.5 or later. Before calling clipboard.readImage(), applications should validate that the clipboard contains image data using clipboard.availableFormats(). This check will prevent the application from attempting to decode invalid image formats. If upgrading is not immediately feasible, consider implementing a robust error handling mechanism around the clipboard.readImage() call to gracefully handle potential decoding errors and prevent application crashes. After upgrading, confirm functionality by attempting to read images from the clipboard and verifying that the application does not crash.
Update Electron to version 39.8.5, 40.8.5, 41.1.0, or 42.0.0-alpha.5 or higher to mitigate the vulnerability. This update fixes the issue by correctly validating clipboard image data, preventing the application from crashing when encountering malformed data.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34781 is a denial-of-service vulnerability in Electron applications that occurs when invalid image data is read from the clipboard using clipboard.readImage(), leading to an application crash.
You are affected if your Electron application uses clipboard.readImage() and is running a version prior to 39.8.5. Applications that do not read images from the clipboard are not affected.
Upgrade your Electron application to version 39.8.5 or later. Before calling clipboard.readImage(), validate that the clipboard contains image data using clipboard.availableFormats().
There are currently no reports of active exploitation of CVE-2026-34781, but it is important to apply the fix to prevent potential future attacks.
Refer to the official Electron security advisory for CVE-2026-34781 on the Electron website: [https://electronjs.org/blog/security-advisories/]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.