Is Use After Free affected by CVE-2026-34770?

A use-after-free vulnerability in Electron's powerMonitor module affects all versions below 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, enabling local attackers to corrupt memory or crash applications through system power events.

CVE-2026-34770

Q: How to fix CVE-2026-34770?

Within 24 hours: Identify all Electron-based applications in production and their current versions using automated software inventory or package managers. Within 7 days: Test and deploy Electron 38.8.6, 39.8.1, 40.8.0, or later (matching your current major version branch) in a staging environment; coordinate with development teams on release timelines. Within 30 days: Complete production rollout of patched Electron versions across all end-user systems and internal applications; document completion in your vulnerability tracking system.

HIGH

2026-04-03 https://github.com/electron/electron

GHSA-jjp3-mq3x-295m

7.0

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Apr 03, 2026 - 08:30 nvd

Patch available

Analysis Generated

Apr 03, 2026 - 02:45 vuln.today

CVE Published

Apr 03, 2026 - 02:39 nvd

HIGH 7.0

Description

### Impact Apps that use the `powerMonitor` module may be vulnerable to a use-after-free. After the native `PowerMonitor` object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption. All apps that access `powerMonitor` events (`suspend`, `resume`, `lock-screen`, etc.) are potentially affected. The issue is not directly renderer-controllable. ### Workarounds There are no app side workarounds, you must update to a patched version of Electron. ### Fixed Versions * `41.0.0-beta.8` * `40.8.0` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])

Analysis

Use-after-free in Electron's powerMonitor module allows local attackers to trigger memory corruption or application crashes through system power events. All Electron applications (versions <38.8.6, <39.8.1, <40.8.0, <41.0.0-beta.8) that subscribe to powerMonitor events (suspend, resume, lock-screen) are vulnerable when garbage collection frees the PowerMonitor object while OS-level event handlers retain dangling pointers. …

Remediation

Within 24 hours: Identify all Electron-based applications in production and their current versions using automated software inventory or package managers. Within 7 days: Test and deploy Electron 38.8.6, 39.8.1, 40.8.0, or later (matching your current major version branch) in a staging environment; coordinate with development teams on release timelines. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +35

POC: 0

CVE-2026-34770 vulnerability details – vuln.today

Back

CVE-2026-34770

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34770

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code