CVE-2026-34766: Electron USB Device Selection Vulnerability
Platform
nodejs
Component
electron
Fixed in
38.8.6
CVE-2026-34766 describes a vulnerability in Electron where the `select-usb-device` event callback fails to validate the chosen device ID against the filtered list. This can lead to an app granting access to a USB device that doesn't match the renderer's requested filters or is listed in exclusion filters. This affects Electron versions up to and including 38.8.6. No official patch is currently available; workarounds may involve careful device-selection logic within the application.
How to fix
Actualice Electron a la versión 38.8.6, 39.8.0, 40.7.0 o 41.0.0-beta.8 o superior para mitigar la vulnerabilidad. Esta actualización corrige la falta de validación de los ID de los dispositivos USB seleccionados, evitando el acceso a dispositivos no autorizados.
Frequently asked questions
What is CVE-2026-34766?
CVE-2026-34766 is a vulnerability in Electron that allows unauthorized USB device access due to missing validation in the `select-usb-device` event callback.
Am I affected by CVE-2026-34766?
You are potentially affected if you are using Electron version 38.8.6 or earlier and your application's device-selection logic could be influenced to select a device ID outside the filtered set.
How can I fix or mitigate CVE-2026-34766?
Currently, there is no official patch available. Mitigation strategies involve carefully reviewing and adjusting device-selection logic within the application to ensure proper validation.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free