Skip to main content

CVE-2026-34781

| EUVDEUVD-2026-19950 LOW
NULL Pointer Dereference (CWE-476)
2026-04-07 https://github.com/electron/electron GHSA-f37v-82c4-4x64
2.8
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.8 LOW
AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
EUVD ID Assigned
Apr 07, 2026 - 16:00 euvd
EUVD-2026-19950
Analysis Generated
Apr 07, 2026 - 16:00 vuln.today
Patch released
Apr 07, 2026 - 16:00 nvd
Patch available
CVE Published
Apr 07, 2026 - 15:52 nvd
LOW 2.8

DescriptionGitHub Advisory

Impact

Apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process.

Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution.

Workarounds

Validate that the clipboard contains image data via clipboard.availableFormats() before calling clipboard.readImage(). Note this only narrows the window - upgrading to a fixed version is recommended.

Fixed Versions

  • 42.0.0-alpha.5
  • 41.1.0
  • 40.8.5
  • 39.8.5

For more information

If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Denial of service in Electron's clipboard.readImage() allows local authenticated attackers to crash applications by supplying malformed image data on the system clipboard. The vulnerability affects Electron versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, but only impacts apps that explicitly call clipboard.readImage(). No code execution or memory corruption is possible; the attack results in a controlled process abort when a null bitmap is passed unchecked to image construction. Vendor-released patches are available across all supported release lines.

Technical ContextAI

Electron is a framework for building cross-platform desktop applications using web technologies. The vulnerability exists in the clipboard API's readImage() method (CPE: pkg:npm/electron), which interfaces with the system clipboard to retrieve image data. The root cause is a null pointer dereference (CWE-476) where the method fails to validate that clipboard image data successfully decoded before passing the resulting bitmap to image construction routines. When the system clipboard contains image data in a format or state that causes decoding to fail, a null pointer is created and dereferenced without validation, triggering a controlled abort that terminates the process. The vulnerability requires local system access and user interaction (the clipboard must be actively populated with malformed image data), limiting the attack surface to local threat actors.

RemediationAI

Vendor-released patches are available: upgrade to Electron 39.8.5, 40.8.5, 41.1.0, or 42.0.0-alpha.5 or later depending on your current release line. The patch addresses null pointer validation in the clipboard.readImage() method via https://github.com/electron/electron/pull/50475 and commit a48f03fb8d03933547281ddb2dbb6c6b9e705287. As a temporary workaround for unpatched versions, call clipboard.availableFormats() to validate clipboard contents before invoking clipboard.readImage(), though this only reduces the attack window and does not eliminate the vulnerability. Applications that do not call clipboard.readImage() are not affected and do not require patching for this specific issue. Consult the full security advisory at https://github.com/electron/electron/security/advisories/GHSA-f37v-82c4-4x64 for additional guidance.

Share

CVE-2026-34781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy