CVE-2026-34766

Name of the Vulnerable Software and Affected Versions Electron versions prior to 38.8.6, prior to 39.8.0, prior to 40.7.0, and prior to 41.0.0-beta.8

Description The select-usb-device event callback did not validate the chosen device ID against the filtered list presented to the handler. An application handler influenced to select a device ID outside the filtered set could grant access to a device that does not match the renderer's requested filters or is listed in exclusionFilters. The WebUSB security blocklist remained enforced, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to applications with unusual device-selection logic.

Recommendations Update to Electron version 38.8.6 or later. Update to Electron version 39.8.0 or later. Update to Electron version 40.7.0 or later. Update to Electron version 41.0.0-beta.8 or later.