Skip to main content

CVE-2026-34771

HIGH
Use After Free (CWE-416)
2026-04-03 https://github.com/electron/electron GHSA-8337-3p73-46f4
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Red Hat
7.5 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
CVSS changed
Jun 30, 2026 - 03:24 NVD
7.5 (HIGH) 8.8 (HIGH)
Re-analysis Queued
Apr 22, 2026 - 15:07 vuln.today
cvss_changed
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:40 nvd
HIGH 7.5

DescriptionNVD

Impact

Apps that register an asynchronous session.setPermissionRequestHandler() may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption.

Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected.

Workarounds

Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required.

Fixed Versions

  • 41.0.0-beta.8
  • 40.7.0
  • 39.8.0
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Use-after-free in Electron framework allows memory corruption when handling fullscreen, pointer-lock, or keyboard-lock permission requests in apps with asynchronous session.setPermissionRequestHandler() callbacks. Affects npm package electron versions prior to 41.0.0-beta.8, 40.7.0, 39.8.0, and 38.8.6. Remote attackers can trigger memory corruption or crashes if the requesting frame navigates or window closes while the permission handler is pending. EPSS data not available; no public exploit identified at time of analysis. Vendor-released patches available across all affected major version branches.

Technical ContextAI

This vulnerability stems from a use-after-free condition (CWE-416) in the Electron framework's permission request handling mechanism. Electron is a framework for building cross-platform desktop applications with web technologies (JavaScript, HTML, CSS). The flaw occurs specifically in the asynchronous callback architecture for session.setPermissionRequestHandler(), which processes permission requests for browser features like fullscreen mode, pointer lock, and keyboard lock. When an application registers an asynchronous permission handler, Electron stores a callback reference to invoke once the permission decision is made. However, if the DOM frame that initiated the request navigates away or the window closes before the callback executes, the stored callback attempts to dereference memory that has already been freed by the frame/window cleanup process. This classic use-after-free condition can lead to memory corruption, potentially allowing an attacker to manipulate memory contents or cause application crashes. The vulnerability only manifests when developers implement asynchronous permission handlers; synchronous handlers execute immediately and avoid this lifecycle timing issue.

RemediationAI

Application developers using Electron must upgrade the framework dependency to a patched version: 41.0.0-beta.8 or later for the 41.x branch, 40.7.0 or later for the 40.x branch, 39.8.0 or later for the 39.x branch, or 38.8.6 or later for the 38.x branch. Update the Electron dependency in package.json and rebuild the application bundle. For development teams unable to immediately upgrade, implement one of two workarounds: either refactor asynchronous permission handlers to respond synchronously (invoke the callback immediately within the handler function), or modify the handler to unconditionally deny fullscreen, pointer-lock, and keyboard-lock permission requests if asynchronous processing is required for other permission types. Official advisory and patch details available at https://github.com/electron/electron/security/advisories/GHSA-8337-3p73-46f4.

Vendor StatusVendor

Share

CVE-2026-34771 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy