Platform
nodejs
Component
electron
Opgelost in
38.8.7
39.0.1
40.0.1
41.0.1
CVE-2026-34771 is een use-after-free kwetsbaarheid in electron. Apps die een asynchrone session.setPermissionRequestHandler() registreren, kunnen kwetsbaar zijn bij het verwerken van fullscreen, pointer-lock of keyboard-lock permission requests. Als het aanvragende frame navigeert of het venster sluit terwijl de permission handler in behandeling is, kan het aanroepen van de opgeslagen callback leiden tot een crash of memory corruption. Deze kwetsbaarheid treft apps die een permission request handler instellen die asynchroon reageert. De kwetsbaarheid is verholpen in versie 38.8.6.
An attacker exploiting this vulnerability could potentially trigger a crash or memory corruption within an Electron application. This could lead to denial of service, or in more severe cases, allow for arbitrary code execution if the memory corruption overwrites critical data structures. The impact is particularly concerning for applications handling sensitive user data or operating with elevated privileges. While the description doesn't explicitly detail a remote exploitation path, a malicious website or application could trigger the vulnerability if it interacts with an Electron app that has a vulnerable permission handler registered. The blast radius depends on the privileges of the Electron application itself.
This CVE was published on 2026-04-03. There is no indication of active exploitation or inclusion on the CISA KEV catalog at the time of writing. Public proof-of-concept (POC) code is currently unavailable, but the use-after-free nature of the vulnerability suggests that a POC could be developed relatively easily. The vulnerability's impact is dependent on the specific implementation of permission request handlers within Electron applications.
Applications built using Electron that register asynchronous session.setPermissionRequestHandler() are at risk. This includes a wide range of desktop applications, particularly those that handle user permissions or interact with system resources. Developers using Electron for cross-platform development, especially those relying on third-party libraries or components that utilize permission request handlers, should prioritize patching.
• linux / server: Monitor Electron application logs for crashes or segmentation faults. Use ps aux | grep electron to identify running Electron processes and check their resource usage for anomalies.
journalctl -u electron -f | grep -i crash• windows / supply-chain: Use Process Monitor to observe Electron processes and identify any unusual memory access patterns or crashes. Check Autoruns for suspicious Electron-related entries.
Get-Process -Name electron | Select-Object Id, CPU, WorkingSet• generic web: If the Electron application interacts with a web server, examine web server access logs for unusual requests that might trigger the permission request handler.
disclosure
Exploit Status
EPSS
0.04% (13% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-34771 is to upgrade to Electron version 38.8.6 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the asynchronous session.setPermissionRequestHandler() functionality if it's not essential. Carefully review the Electron changelog for potential breaking changes before upgrading. There are no specific WAF or proxy rules that can directly address this vulnerability, as it's a code-level issue within the Electron application. Monitor Electron application logs for crashes or unexpected behavior that might indicate exploitation.
Actualice a una versión de Electron que incluya la corrección, como 38.8.6, 39.8.0, 40.7.0 o 41.0.0-beta.8. Esta actualización soluciona un problema de uso después de liberar que puede ocurrir al manejar solicitudes de permisos de pantalla completa, bloqueo de puntero o bloqueo de teclado, previniendo así posibles fallos o corrupción de memoria.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-34771 is a HIGH severity vulnerability in Electron where a pending permission request handler can lead to memory corruption and crashes.
You are affected if you are using Electron versions 38.0.0–>= 41.0.0-alpha.1, < 41.0.0-beta.8 and have registered an asynchronous session.setPermissionRequestHandler().
Upgrade to Electron version 38.8.6 or later to resolve this vulnerability. Consider disabling the permission request handler if upgrading is not immediately possible.
There is currently no public information indicating active exploitation of CVE-2026-34771.
Refer to the Electron security advisories on the Electron GitHub repository for official information: https://github.com/electron/electron/security
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.