Skip to main content

Microsoft CVE-2026-34776

MEDIUM
Out-of-bounds Read (CWE-125)
2026-04-03 https://github.com/electron/electron GHSA-3c8v-cfp5-9885
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L
Red Hat
5.3 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:43 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Impact

On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.

This issue is limited to processes running as the same user as the Electron app.

Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions

  • 41.0.0
  • 40.8.1
  • 39.8.1
  • 38.8.6

For more information

If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Out-of-bounds heap read in Electron's single-instance lock mechanism on macOS and Linux allows local attackers with same-user privileges to leak sensitive application memory through crafted second-instance messages. Affected Electron versions prior to 41.0.0, 40.8.1, 39.8.1, and 38.8.6 are vulnerable only if applications explicitly call app.requestSingleInstanceLock(); no public exploit code is currently identified, but the CVSS 5.3 score reflects moderate confidentiality impact combined with local attack complexity requirements.

Technical ContextAI

Electron is a framework for building cross-platform desktop applications using web technologies (Chromium and Node.js). The vulnerability exists in Electron's single-instance lock feature, which ensures only one instance of an application runs at a time by using inter-process communication to relay arguments to an already-running process via the 'second-instance' event handler. The out-of-bounds read (CWE-125: Out-of-bounds Read) occurs during parsing of second-instance messages on macOS and Linux, where insufficient bounds checking allows reading beyond allocated heap memory. The vulnerability is triggered when a local attacker (same user context) sends a specially crafted second-instance message, bypassing the normal argument validation. This is a heap-based information disclosure vulnerability specific to NPM package 'electron' across multiple major versions (38.x, 39.x, 40.x, 41.x).

RemediationAI

Electron developers must upgrade to patched versions immediately: version 41.0.0 or later, version 40.8.1 or later (for 40.x branch), version 39.8.1 or later (for 39.x branch), or version 38.8.6 or later (for 38.x branch). No application-side workarounds are available; patching Electron is the only remediation path. Update the Electron dependency in package.json to the minimum patched version matching your current major version branch, then rebuild and redistribute the application. Consult https://github.com/advisories/GHSA-3c8v-cfp5-9885 for detailed advisory information.

Vendor StatusVendor

Share

CVE-2026-34776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy