Search for packages
| purl | pkg:npm/electron@38.8.6 |
| Next non-vulnerable version | 39.8.5 |
| Latest non-vulnerable version | 42.0.0-alpha.5 |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7yvz-624p-m7fe
Aliases: CVE-2026-34764 GHSA-8x5q-pvf5-64mp |
Electron: Use-after-free in offscreen shared texture release() callback |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ttvv-eca2-sfhu
Aliases: CVE-2026-34774 GHSA-532v-xpq5-8h95 |
Electron: Use-after-free in offscreen child window paint callback ### Impact Apps that use offscreen rendering and allow child windows via `window.open()` may be vulnerable to a use-after-free. If the parent offscreen `WebContents` is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering (`webPreferences.offscreen: true`) and their `setWindowOpenHandler` permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected. ### Workarounds Deny child window creation from offscreen renderers in your `setWindowOpenHandler`, or ensure child windows are closed before the parent is destroyed. ### Fixed Versions * `41.0.0` * `40.7.0` * `39.8.1` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
Affected by 3 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2uv6-6zfm-x7c6 | Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows ### Impact On Windows, `app.setAsDefaultProtocolClient(protocol)` did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under `HKCU\Software\Classes\`, potentially hijacking existing protocol handlers. Apps are only affected if they call `app.setAsDefaultProtocolClient()` with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected. ### Workarounds Validate the protocol name matches `/^[a-zA-Z][a-zA-Z0-9+.-]*$/` before passing it to `app.setAsDefaultProtocolClient()`. ### Fixed Versions * `41.0.0` * `40.8.1` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34773
GHSA-mwmh-mq4g-g6gr |
| VCID-bh69-2dsz-2qbf | Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference ### Impact An undocumented `commandLineSwitches` webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct `webPreferences` by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls. Apps are only affected if they construct `webPreferences` from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded `webPreferences` object are not affected. ### Workarounds Do not spread untrusted input into `webPreferences`. Use an explicit allowlist of permitted preference keys when constructing `BrowserWindow` or `webContents` options from external configuration. ### Fixed Versions * `41.0.0-beta.8` * `40.7.0` * `39.8.0` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34769
GHSA-9wfr-w7mm-pc7f |
| VCID-cjzy-nxnq-ffdp | Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes ### Impact The `nodeIntegrationInWorker` webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with `nodeIntegrationInWorker: false` could still receive Node.js integration. Apps are only affected if they enable `nodeIntegrationInWorker`. Apps that do not use `nodeIntegrationInWorker` are not affected. ### Workarounds Avoid enabling `nodeIntegrationInWorker` in apps that also open child windows or embed content with differing webPreferences. ### Fixed Versions * `41.0.0` * `40.8.4` * `39.8.4` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34775
GHSA-xwr5-m59h-vwqr |
| VCID-erya-bqnr-1qht | Electron: Use-after-free in download save dialog callback ### Impact Apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption. Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected. ### Workarounds Avoid destroying sessions while a download save dialog may be open. Cancel pending downloads before session teardown. ### Fixed Versions * `41.0.0-beta.7` * `40.7.0` * `39.8.0` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34772
GHSA-9w97-2464-8783 |
| VCID-gxk8-9wc6-wkhs | Electron: Service worker can spoof executeJavaScript IPC replies ### Impact A service worker running in a session could spoof reply messages on the internal IPC channel used by `webContents.executeJavaScript()` and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of `webContents.executeJavaScript()` (or `webFrameMain.executeJavaScript()`) in security-sensitive decisions. ### Workarounds Do not trust the return value of `webContents.executeJavaScript()` for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers. ### Fixed Versions * `41.0.0` * `40.8.1` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34778
GHSA-xj5x-m3f3-5x3h |
| VCID-hynm-7wty-ruhq | Electron: AppleScript injection in app.moveToApplicationsFolder on macOS ### Impact On macOS, `app.moveToApplicationsFolder()` used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call `app.moveToApplicationsFolder()`. Apps that do not use this API are not affected. ### Workarounds There are no app side workarounds, developers must update to a patched version of Electron. ### Fixed Versions * `41.0.0-beta.8` * `40.8.0` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34779
GHSA-5rqw-r77c-jp79 |
| VCID-k7gj-cczw-wfeb | Electron: Incorrect origin passed to permission request handler for iframe requests ### Impact When an iframe requests `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` permissions, the origin passed to `session.setPermissionRequestHandler()` was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or `webContents.getURL()` may inadvertently grant permissions to embedded third-party content. The correct requesting URL remains available via `details.requestingUrl`. Apps that already check `details.requestingUrl` are not affected. ### Workarounds In your `setPermissionRequestHandler`, inspect `details.requestingUrl` rather than the origin parameter or `webContents.getURL()` when deciding whether to grant `fullscreen`, `pointerLock`, `keyboardLock`, `openExternal`, or `media` permissions. ### Fixed Versions * `41.0.0` * `40.8.1` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34777
GHSA-r5p7-gp4j-qhrx |
| VCID-ktbs-t8kb-5kch | Electron: Use-after-free in PowerMonitor on Windows and macOS ### Impact Apps that use the `powerMonitor` module may be vulnerable to a use-after-free. After the native `PowerMonitor` object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption. All apps that access `powerMonitor` events (`suspend`, `resume`, `lock-screen`, etc.) are potentially affected. The issue is not directly renderer-controllable. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `41.0.0-beta.8` * `40.8.0` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34770
GHSA-jjp3-mq3x-295m |
| VCID-r7j1-66md-zkak | Electron: USB device selection not validated against filtered device list ### Impact The `select-usb-device` event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested `filters` or was listed in `exclusionFilters`. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `41.0.0-beta.8` * `40.7.0` * `39.8.0` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34766
GHSA-9899-m83m-qhpj |
| VCID-t1z9-bmnv-57bm | Electron: HTTP Response Header Injection in custom protocol handlers and webRequest ### Impact Apps that register custom protocol handlers via `protocol.handle()` / `protocol.registerSchemesAsPrivileged()` or modify response headers via `webRequest.onHeadersReceived` may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. ### Workarounds Validate or sanitize any untrusted input before including it in a response header name or value. ### Fixed Versions * `41.0.3` * `40.8.3` * `39.8.3` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34767
GHSA-4p4r-m79c-wq3v |
| VCID-uwqv-4aqn-87fd | Electron: Unquoted executable path in app.setLoginItemSettings on Windows ### Impact On Windows, `app.setLoginItemSettings({openAtLogin: true})` wrote the executable path to the `Run` registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. ### Workarounds Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes. ### Fixed Versions * `41.0.0-beta.8` * `40.8.0` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34768
GHSA-jfqx-fxh3-c62j |
| VCID-vda9-xbsz-d7fm | Electron: Out-of-bounds read in second-instance IPC on macOS and Linux ### Impact On macOS and Linux, apps that call `app.requestSingleInstanceLock()` were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's `second-instance` event handler. This issue is limited to processes running as the same user as the Electron app. Apps that do not call `app.requestSingleInstanceLock()` are not affected. Windows is not affected by this issue. ### Workarounds There are no app side workarounds, developers must update to a patched version of Electron. ### Fixed Versions * `41.0.0` * `40.8.1` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34776
GHSA-3c8v-cfp5-9885 |
| VCID-vp7h-hm4e-quaj | Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks ### Impact Apps that register an asynchronous `session.setPermissionRequestHandler()` may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption. Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected. ### Workarounds Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required. ### Fixed Versions * `41.0.0-beta.8` * `40.7.0` * `39.8.0` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org) |
CVE-2026-34771
GHSA-8337-3p73-46f4 |