Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-vp7h-hm4e-quaj
Vulnerability ID VCID-vp7h-hm4e-quaj
Aliases CVE-2026-34771
GHSA-8337-3p73-46f4
Summary Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks ### Impact Apps that register an asynchronous `session.setPermissionRequestHandler()` may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption. Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected. ### Workarounds Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required. ### Fixed Versions * `41.0.0-beta.8` * `40.7.0` * `39.8.0` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-416 Use After Free
CWE-364 Signal Handler Race Condition
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34771.json
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00016 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00039 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
epss 0.00042 https://api.first.org/data/v1/epss?cve=CVE-2026-34771
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-8337-3p73-46f4
cvssv3.1 7.5 https://github.com/electron/electron
generic_textual HIGH https://github.com/electron/electron
cvssv3.1 7.5 https://github.com/electron/electron/security/advisories/GHSA-8337-3p73-46f4
cvssv3.1_qr HIGH https://github.com/electron/electron/security/advisories/GHSA-8337-3p73-46f4
generic_textual HIGH https://github.com/electron/electron/security/advisories/GHSA-8337-3p73-46f4
ssvc Track https://github.com/electron/electron/security/advisories/GHSA-8337-3p73-46f4
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2026-34771
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-34771
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34771.json
https://api.first.org/data/v1/epss?cve=CVE-2026-34771
https://github.com/electron/electron
https://github.com/electron/electron/security/advisories/GHSA-8337-3p73-46f4
https://nvd.nist.gov/vuln/detail/CVE-2026-34771
2454995 https://bugzilla.redhat.com/show_bug.cgi?id=2454995
GHSA-8337-3p73-46f4 https://github.com/advisories/GHSA-8337-3p73-46f4
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34771.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/security/advisories/GHSA-8337-3p73-46f4
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-06T16:04:11Z/ Found at https://github.com/electron/electron/security/advisories/GHSA-8337-3p73-46f4
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34771
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.02859
EPSS Score 0.00014
Published At April 21, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-03T21:42:21.694304+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-8337-3p73-46f4/GHSA-8337-3p73-46f4.json 38.1.0