Skip to main content

Microsoft CVE-2026-34770

HIGH
Use After Free (CWE-416)
2026-04-03 https://github.com/electron/electron GHSA-jjp3-mq3x-295m
7.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.0 HIGH
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 22, 2026 - 15:22 vuln.today
cvss_changed
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:39 nvd
HIGH 7.0

DescriptionGitHub Advisory

Impact

Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.

All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.

Workarounds

There are no app side workarounds, you must update to a patched version of Electron.

Fixed Versions

  • 41.0.0-beta.8
  • 40.8.0
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Use-after-free in Electron's powerMonitor module allows local attackers to trigger memory corruption or application crashes through system power events. All Electron applications (versions <38.8.6, <39.8.1, <40.8.0, <41.0.0-beta.8) that subscribe to powerMonitor events (suspend, resume, lock-screen) are vulnerable when garbage collection frees the PowerMonitor object while OS-level event handlers retain dangling pointers. Exploitation requires local access and specific timing conditions (CVSS 7.0 HIGH, AC:H). No public exploit identified at time of analysis, though the technical details are publicly documented in the GitHub security advisory.

Technical ContextAI

The vulnerability stems from improper lifetime management between Electron's JavaScript powerMonitor API and native OS event handlers. When the JavaScript PowerMonitor object is garbage-collected, the associated platform-specific resources are not properly cleaned up: Windows retains a message window and macOS retains a shutdown handler, both holding dangling pointers to freed memory. This creates a use-after-free condition (CWE-416) where subsequent OS power events-such as session changes on Windows or system shutdown on macOS-trigger callbacks that dereference the freed memory region. The vulnerability exists in the pkg:npm/electron package across multiple major versions. The issue represents a classic object lifetime mismatch between managed JavaScript objects and unmanaged native resources, a common pitfall in frameworks that bridge high-level and low-level code. Memory corruption vulnerabilities of this class can potentially be exploited for arbitrary code execution if an attacker can control the contents of the freed memory region, though the local attack vector and high complexity limit practical exploitation scenarios.

RemediationAI

Immediately upgrade to patched Electron versions: 41.0.0-beta.8 or later for the 41.x beta branch, 40.8.0 or later for the 40.x stable branch, 39.8.1 or later for the 39.x branch, or 38.8.6 or later for the 38.x LTS branch. Application developers should update the Electron dependency in package.json and rebuild their applications with the patched framework version. No application-side code changes are required beyond the Electron version upgrade, as the fix addresses the underlying framework issue. No workarounds exist-upgrading is the only remediation path. Organizations should prioritize applications deployed in multi-user environments or those processing sensitive data. For applications still on unsupported Electron versions (below 38.x), migration to a supported branch is strongly recommended. Verify the Electron version in deployed applications using electron.version or by checking node_modules/electron/package.json. Detailed advisory and patch information is available at https://github.com/electron/electron/security/advisories/GHSA-jjp3-mq3x-295m. After upgrading, test application functionality particularly around power management events to ensure compatibility with the patched implementation.

Share

CVE-2026-34770 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy