Microsoft
CVE-2026-34776
MEDIUM
Severity by source
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.
This issue is limited to processes running as the same user as the Electron app.
Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.
Workarounds
There are no app side workarounds, developers must update to a patched version of Electron.
Fixed Versions
41.0.040.8.139.8.138.8.6
For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Out-of-bounds heap read in Electron's single-instance lock mechanism on macOS and Linux allows local attackers with same-user privileges to leak sensitive application memory through crafted second-instance messages. Affected Electron versions prior to 41.0.0, 40.8.1, 39.8.1, and 38.8.6 are vulnerable only if applications explicitly call app.requestSingleInstanceLock(); no public exploit code is currently identified, but the CVSS 5.3 score reflects moderate confidentiality impact combined with local attack complexity requirements.
Technical ContextAI
Electron is a framework for building cross-platform desktop applications using web technologies (Chromium and Node.js). The vulnerability exists in Electron's single-instance lock feature, which ensures only one instance of an application runs at a time by using inter-process communication to relay arguments to an already-running process via the 'second-instance' event handler. The out-of-bounds read (CWE-125: Out-of-bounds Read) occurs during parsing of second-instance messages on macOS and Linux, where insufficient bounds checking allows reading beyond allocated heap memory. The vulnerability is triggered when a local attacker (same user context) sends a specially crafted second-instance message, bypassing the normal argument validation. This is a heap-based information disclosure vulnerability specific to NPM package 'electron' across multiple major versions (38.x, 39.x, 40.x, 41.x).
RemediationAI
Electron developers must upgrade to patched versions immediately: version 41.0.0 or later, version 40.8.1 or later (for 40.x branch), version 39.8.1 or later (for 39.x branch), or version 38.8.6 or later (for 38.x branch). No application-side workarounds are available; patching Electron is the only remediation path. Update the Electron dependency in package.json to the minimum patched version matching your current major version branch, then rebuild and redistribute the application. Consult https://github.com/advisories/GHSA-3c8v-cfp5-9885 for detailed advisory information.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-3c8v-cfp5-9885