Microsoft
CVE-2026-34770
HIGH
Severity by source
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.
All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Use-after-free in Electron's powerMonitor module allows local attackers to trigger memory corruption or application crashes through system power events. All Electron applications (versions <38.8.6, <39.8.1, <40.8.0, <41.0.0-beta.8) that subscribe to powerMonitor events (suspend, resume, lock-screen) are vulnerable when garbage collection frees the PowerMonitor object while OS-level event handlers retain dangling pointers. Exploitation requires local access and specific timing conditions (CVSS 7.0 HIGH, AC:H). No public exploit identified at time of analysis, though the technical details are publicly documented in the GitHub security advisory.
Technical ContextAI
The vulnerability stems from improper lifetime management between Electron's JavaScript powerMonitor API and native OS event handlers. When the JavaScript PowerMonitor object is garbage-collected, the associated platform-specific resources are not properly cleaned up: Windows retains a message window and macOS retains a shutdown handler, both holding dangling pointers to freed memory. This creates a use-after-free condition (CWE-416) where subsequent OS power events-such as session changes on Windows or system shutdown on macOS-trigger callbacks that dereference the freed memory region. The vulnerability exists in the pkg:npm/electron package across multiple major versions. The issue represents a classic object lifetime mismatch between managed JavaScript objects and unmanaged native resources, a common pitfall in frameworks that bridge high-level and low-level code. Memory corruption vulnerabilities of this class can potentially be exploited for arbitrary code execution if an attacker can control the contents of the freed memory region, though the local attack vector and high complexity limit practical exploitation scenarios.
RemediationAI
Immediately upgrade to patched Electron versions: 41.0.0-beta.8 or later for the 41.x beta branch, 40.8.0 or later for the 40.x stable branch, 39.8.1 or later for the 39.x branch, or 38.8.6 or later for the 38.x LTS branch. Application developers should update the Electron dependency in package.json and rebuild their applications with the patched framework version. No application-side code changes are required beyond the Electron version upgrade, as the fix addresses the underlying framework issue. No workarounds exist-upgrading is the only remediation path. Organizations should prioritize applications deployed in multi-user environments or those processing sensitive data. For applications still on unsupported Electron versions (below 38.x), migration to a supported branch is strongly recommended. Verify the Electron version in deployed applications using electron.version or by checking node_modules/electron/package.json. Detailed advisory and patch information is available at https://github.com/electron/electron/security/advisories/GHSA-jjp3-mq3x-295m. After upgrading, test application functionality particularly around power management events to ensure compatibility with the patched implementation.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jjp3-mq3x-295m