EUVD-2026-19950
GHSA-f37v-82c4-4x64
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
4Description
### Impact Apps that call `clipboard.readImage()` may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call `clipboard.readImage()`. Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. ### Workarounds Validate that the clipboard contains image data via `clipboard.availableFormats()` before calling `clipboard.readImage()`. Note this only narrows the window - upgrading to a fixed version is recommended. ### Fixed Versions * `42.0.0-alpha.5` * `41.1.0` * `40.8.5` * `39.8.5` ### For more information If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected])
Analysis
Denial of service in Electron's clipboard.readImage() allows local authenticated attackers to crash applications by supplying malformed image data on the system clipboard. The vulnerability affects Electron versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, but only impacts apps that explicitly call clipboard.readImage(). …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today