Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-vda9-xbsz-d7fm
Vulnerability ID VCID-vda9-xbsz-d7fm
Aliases CVE-2026-34776
GHSA-3c8v-cfp5-9885
Summary Electron: Out-of-bounds read in second-instance IPC on macOS and Linux ### Impact On macOS and Linux, apps that call `app.requestSingleInstanceLock()` were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's `second-instance` event handler. This issue is limited to processes running as the same user as the Electron app. Apps that do not call `app.requestSingleInstanceLock()` are not affected. Windows is not affected by this issue. ### Workarounds There are no app side workarounds, developers must update to a patched version of Electron. ### Fixed Versions * `41.0.0` * `40.8.1` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-125 Out-of-bounds Read
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34776.json
epss 0.0001 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 0.00012 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 0.00013 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 0.00015 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 6e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
epss 6e-05 https://api.first.org/data/v1/epss?cve=CVE-2026-34776
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-3c8v-cfp5-9885
cvssv3.1 5.3 https://github.com/electron/electron
generic_textual MODERATE https://github.com/electron/electron
cvssv3.1 5.3 https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885
cvssv3.1_qr MODERATE https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885
generic_textual MODERATE https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885
ssvc Track https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2026-34776
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-34776
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34776.json
https://api.first.org/data/v1/epss?cve=CVE-2026-34776
https://github.com/electron/electron
https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885
https://nvd.nist.gov/vuln/detail/CVE-2026-34776
2455021 https://bugzilla.redhat.com/show_bug.cgi?id=2455021
GHSA-3c8v-cfp5-9885 https://github.com/advisories/GHSA-3c8v-cfp5-9885
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34776.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L Found at https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-06T15:31:24Z/ Found at https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885
Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34776
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0121
EPSS Score 0.0001
Published At April 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-03T21:42:20.343433+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-3c8v-cfp5-9885/GHSA-3c8v-cfp5-9885.json 38.1.0