What is the CVSS score of CVE-2026-34770?

CVE-2026-34770 has a CVSS 3.1 base score of 7.0 (High). CVSS vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Apple are affected by CVE-2026-34770?

A use-after-free vulnerability in Electron's powerMonitor module affects all versions below 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, enabling local attackers to corrupt memory or crash applications…. A patch is available.

Apple CVE-2026-34770

Q: How to fix or mitigate CVE-2026-34770?

Within 24 hours: Identify all Electron-based applications in production and their current versions using automated software inventory or package managers. Within 7 days: Test and deploy Electron 38.8.6, 39.8.1, 40.8.0, or later (matching your current major version branch) in a staging environment; coordinate with development teams on release timelines. Within 30 days: Complete production rollout of patched Electron versions across all end-user systems and internal applications; document completion in your vulnerability tracking system.

HIGH

Use After Free (CWE-416)

2026-04-03 https://github.com/electron/electron

GHSA-jjp3-mq3x-295m

Buffer Overflow Use After Free Memory Corruption Apple Microsoft

7.0

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 15:22 vuln.today

cvss_changed

Patch released

Apr 03, 2026 - 08:30 nvd

Patch available

Analysis Generated

Apr 03, 2026 - 02:45 vuln.today

CVE Published

Apr 03, 2026 - 02:39 nvd

HIGH 7.0

DescriptionNVD

Impact

Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.

All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

41.0.0-beta.8
40.8.0
39.8.1
38.8.6

For more information

If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Use-after-free in Electron's powerMonitor module allows local attackers to trigger memory corruption or application crashes through system power events. All Electron applications (versions <38.8.6, <39.8.1, <40.8.0, <41.0.0-beta.8) that subscribe to powerMonitor events (suspend, resume, lock-screen) are vulnerable when garbage collection frees the PowerMonitor object while OS-level event handlers retain dangling pointers. …

RemediationAI

Within 24 hours: Identify all Electron-based applications in production and their current versions using automated software inventory or package managers. Within 7 days: Test and deploy Electron 38.8.6, 39.8.1, 40.8.0, or later (matching your current major version branch) in a staging environment; coordinate with development teams on release timelines. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory