Skip to main content

CVE-2026-34772

MEDIUM
Use After Free (CWE-416)
2026-04-03 https://github.com/electron/electron GHSA-9w97-2464-8783
5.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.8 MEDIUM
AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Red Hat
5.8 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:41 nvd
MEDIUM 5.8

DescriptionGitHub Advisory

Impact

Apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption.

Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected.

Workarounds

Avoid destroying sessions while a download save dialog may be open. Cancel pending downloads before session teardown.

Fixed Versions

  • 41.0.0-beta.7
  • 40.7.0
  • 39.8.0
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Use-after-free in Electron framework allows memory corruption when native save-file dialogs remain open during session teardown. Affected Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.7 enable local attackers with UI interaction to trigger freed memory dereference via downloaded files, potentially causing application crashes or memory corruption. Only applications that programmatically destroy sessions at runtime and permit downloads are vulnerable; no public exploit code or active exploitation has been identified.

Technical ContextAI

Electron is a framework for building cross-platform desktop applications using Chromium and Node.js. This vulnerability exists in the session management layer's interaction with the native file save dialog (part of the OS-level download UI). When an application calls session destruction APIs while a native save-file dialog triggered by a download remains open, the dialog's reference to session memory becomes invalid. The underlying issue is a use-after-free (CWE-416) condition where the dismissal of the save dialog attempts to dereference memory that was freed during session teardown. The CPE identifier pkg:npm/electron indicates this affects the npm-distributed Electron package across multiple versions.

RemediationAI

Vendor-released patches are available: upgrade to Electron 38.8.6 or later (38.x), 39.8.0 or later (39.x), 40.7.0 or later (40.x), or 41.0.0-beta.7 or later (41.x development). Until patched, implement the workaround by ensuring that pending downloads are explicitly canceled before initiating session teardown, and avoid destroying sessions programmatically while native file dialogs may be open. For additional guidance, contact the Electron security team at security@electronjs.org. Reference: https://github.com/electron/electron/security/advisories/GHSA-9w97-2464-8783.

Vendor StatusVendor

Share

CVE-2026-34772 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy