CVE-2026-34771

Name of the Vulnerable Software and Affected Versions Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8

Description Applications using an asynchronous session.setPermissionRequestHandler() may experience a use-after-free issue when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback can dereference freed memory, potentially leading to a crash or memory corruption. Applications not using a permission request handler, or those responding synchronously, are not affected.

Recommendations Versions prior to 38.8.6: Update to version 38.8.6 or later. Versions prior to 39.8.0: Update to version 39.8.0 or later. Versions prior to 40.7.0: Update to version 40.7.0 or later. Versions prior to 41.0.0-beta.8: Update to version 41.0.0-beta.8 or later. As a workaround, respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required.