CVE-2026-34776
MEDIUM
GHSA-3c8v-cfp5-9885
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L
Lifecycle Timeline
3Description
### Impact On macOS and Linux, apps that call `app.requestSingleInstanceLock()` were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's `second-instance` event handler. This issue is limited to processes running as the same user as the Electron app. Apps that do not call `app.requestSingleInstanceLock()` are not affected. Windows is not affected by this issue. ### Workarounds There are no app side workarounds, developers must update to a patched version of Electron. ### Fixed Versions * `41.0.0` * `40.8.1` * `39.8.1` * `38.8.6` ### For more information If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
Analysis
Out-of-bounds heap read in Electron's single-instance lock mechanism on macOS and Linux allows local attackers with same-user privileges to leak sensitive application memory through crafted second-instance messages. Affected Electron versions prior to 41.0.0, 40.8.1, 39.8.1, and 38.8.6 are vulnerable only if applications explicitly call app.requestSingleInstanceLock(); no public exploit code is currently identified, but the CVSS 5.3 score reflects moderate confidentiality impact combined with local attack complexity requirements.
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today