Electron CVE-2026-54257
CRITICAL
GHSA-q6m5-f73j-m9mc
Severity by source
Reachable via attacker-controlled input the app processes (AV:N, UI:R); triggering the miscalculation is non-trivial (AC:H); dominant impact is crash (A:H) with possible incorrect allocation (I:L), no confidentiality impact shown.
Lifecycle Timeline
2DescriptionCVE.org
Impact
Most apps will crash and some may perform incorrect buffer allocations in the Node.js Buffer API resulting in unexpected truncation or allocation.
Workarounds
No workarounds. Do not use these impacted Electron releases
Fixed Versions
42.3.3
For more information
If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)
Articles & Coverage 1
AnalysisAI
Heap buffer under/overflow in Electron 42.3.1 through 42.3.2 causes most applications to crash and may lead to incorrect Buffer allocations in the Node.js Buffer API, resulting in unexpected truncation or allocation. The flaw stems from incorrect byte length calculations within Electron's Buffer handling. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a victim run a desktop application built on Electron 42.3.1 or 42.3.2 specifically (the bug is absent before 42.3.1 and fixed in 42.3.3), and that attacker-influenced data reach a Node.js Buffer API path performing the miscalculated byte length operation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector, EPSS score, KEV listing, or SSVC decision data is provided, so quantitative prioritization signals are absent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker delivers crafted input (for example, attacker-controlled data routed through IPC, a fetched resource, or a file the app parses) that reaches a Node.js Buffer allocation or copy in the Electron application; the miscomputed byte length triggers a heap buffer under/overflow, crashing the application in the common case. In a more advanced scenario, the resulting incorrect allocation or truncation could be leveraged to corrupt adjacent heap state, though no public exploit demonstrating code execution has been identified at time of analysis. |
| Remediation | Vendor-released patch: Electron 42.3.3 - upgrade the bundled Electron runtime to 42.3.3 or later and rebuild/redistribute affected desktop applications, per GHSA-q6m5-f73j-m9mc (https://github.com/electron/electron/security/advisories/GHSA-q6m5-f73j-m9mc). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Electron applications in use and identify deployments of versions 42.3.1-42.3.2; assess business-critical dependencies on affected versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Remote code execution in Vitest Browser Mode (npm @vitest/browser 3.0.0-3.2.4, 4.0.0-4.1.7, 5.0.0-beta.0-5.0.0-beta.3) a
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.p
Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
Code injection in OpenZeppelin Contracts Wizard's `@openzeppelin/wizard` npm package (<=0.10.8) allows attacker-supplied
Stored cross-site scripting in the @apostrophecms/seo plugin (versions ≤1.4.2) allows any user holding the default edito
Share
External POC / Exploit Code
Leaving vuln.today