CVE-2026-34771
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionNVD
Impact
Apps that register an asynchronous session.setPermissionRequestHandler() may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption.
Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected.
Workarounds
Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required.
Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6
For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Use-after-free in Electron framework allows memory corruption when handling fullscreen, pointer-lock, or keyboard-lock permission requests in apps with asynchronous session.setPermissionRequestHandler() callbacks. Affects npm package electron versions prior to 41.0.0-beta.8, 40.7.0, 39.8.0, and 38.8.6. Remote attackers can trigger memory corruption or crashes if the requesting frame navigates or window closes while the permission handler is pending. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patches available across all affected major version branches.
Technical ContextAI
This vulnerability stems from a use-after-free condition (CWE-416) in the Electron framework's permission request handling mechanism. Electron is a framework for building cross-platform desktop applications with web technologies (JavaScript, HTML, CSS). The flaw occurs specifically in the asynchronous callback architecture for session.setPermissionRequestHandler(), which processes permission requests for browser features like fullscreen mode, pointer lock, and keyboard lock. When an application registers an asynchronous permission handler, Electron stores a callback reference to invoke once the permission decision is made. However, if the DOM frame that initiated the request navigates away or the window closes before the callback executes, the stored callback attempts to dereference memory that has already been freed by the frame/window cleanup process. This classic use-after-free condition can lead to memory corruption, potentially allowing an attacker to manipulate memory contents or cause application crashes. The vulnerability only manifests when developers implement asynchronous permission handlers; synchronous handlers execute immediately and avoid this lifecycle timing issue.
RemediationAI
Application developers using Electron must upgrade the framework dependency to a patched version: 41.0.0-beta.8 or later for the 41.x branch, 40.7.0 or later for the 40.x branch, 39.8.0 or later for the 39.x branch, or 38.8.6 or later for the 38.x branch. Update the Electron dependency in package.json and rebuild the application bundle. For development teams unable to immediately upgrade, implement one of two workarounds: either refactor asynchronous permission handlers to respond synchronously (invoke the callback immediately within the handler function), or modify the handler to unconditionally deny fullscreen, pointer-lock, and keyboard-lock permission requests if asynchronous processing is required for other permission types. Official advisory and patch details available at https://github.com/electron/electron/security/advisories/GHSA-8337-3p73-46f4.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-8337-3p73-46f4