プラットフォーム
nodejs
コンポーネント
electron
修正版
38.8.7
39.0.1
40.0.1
41.0.1
CVE-2026-34771は、electronのsession.setPermissionRequestHandler()に存在するUse-After-Free (UAF) 脆弱性です。この脆弱性により、フルスクリーン、ポインターロック、またはキーボードロックの許可リクエストを処理する際に、メモリ破壊やクラッシュが発生する可能性があります。影響を受けるのは、非同期の許可リクエストハンドラを登録しているアプリケーションです。この問題はバージョン38.8.6で修正されました。
An attacker exploiting this vulnerability could potentially trigger a crash or memory corruption within an Electron application. This could lead to denial of service, or in more severe cases, allow for arbitrary code execution if the memory corruption overwrites critical data structures. The impact is particularly concerning for applications handling sensitive user data or operating with elevated privileges. While the description doesn't explicitly detail a remote exploitation path, a malicious website or application could trigger the vulnerability if it interacts with an Electron app that has a vulnerable permission handler registered. The blast radius depends on the privileges of the Electron application itself.
This CVE was published on 2026-04-03. There is no indication of active exploitation or inclusion on the CISA KEV catalog at the time of writing. Public proof-of-concept (POC) code is currently unavailable, but the use-after-free nature of the vulnerability suggests that a POC could be developed relatively easily. The vulnerability's impact is dependent on the specific implementation of permission request handlers within Electron applications.
Applications built using Electron that register asynchronous session.setPermissionRequestHandler() are at risk. This includes a wide range of desktop applications, particularly those that handle user permissions or interact with system resources. Developers using Electron for cross-platform development, especially those relying on third-party libraries or components that utilize permission request handlers, should prioritize patching.
• linux / server: Monitor Electron application logs for crashes or segmentation faults. Use ps aux | grep electron to identify running Electron processes and check their resource usage for anomalies.
journalctl -u electron -f | grep -i crash• windows / supply-chain: Use Process Monitor to observe Electron processes and identify any unusual memory access patterns or crashes. Check Autoruns for suspicious Electron-related entries.
Get-Process -Name electron | Select-Object Id, CPU, WorkingSet• generic web: If the Electron application interacts with a web server, examine web server access logs for unusual requests that might trigger the permission request handler.
disclosure
エクスプロイト状況
EPSS
0.04% (13% パーセンタイル)
CISA SSVC
The primary mitigation for CVE-2026-34771 is to upgrade to Electron version 38.8.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the asynchronous session.setPermissionRequestHandler() functionality if it's not essential. Carefully review the Electron changelog for potential breaking changes before upgrading. There are no specific WAF or proxy rules that can directly address this vulnerability, as it's a code-level issue within the Electron application. Monitor Electron application logs for crashes or unexpected behavior that might indicate exploitation.
Actualice a una versión de Electron que incluya la corrección, como 38.8.6, 39.8.0, 40.7.0 o 41.0.0-beta.8. Esta actualización soluciona un problema de uso después de liberar que puede ocurrir al manejar solicitudes de permisos de pantalla completa, bloqueo de puntero o bloqueo de teclado, previniendo así posibles fallos o corrupción de memoria.
脆弱性分析と重要アラートをメールでお届けします。
electronのsession.setPermissionRequestHandler()におけるUse-After-Free (UAF) 脆弱性です。特定の条件下でメモリ破壊を引き起こす可能性があります。
非同期のsession.setPermissionRequestHandler()を使用しているアプリケーションは影響を受ける可能性があります。同期的に処理している場合は影響を受けません。
electronをバージョン38.8.6以降にアップデートしてください。これにより、脆弱性が修正されます。
CVSS ベクトル