CVE-2026-34773

Name of the Vulnerable Software and Affected Versions Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0

Description On Windows, the app.setAsDefaultProtocolClient(protocol) function did not validate the protocol name before writing to the registry. Passing untrusted input as the protocol name could allow an attacker to write to arbitrary subkeys under HKCUSoftwareClasses, potentially hijacking existing protocol handlers. Applications are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Applications using a hardcoded protocol name are not affected.

Recommendations Versions prior to 38.8.6: Upgrade to version 38.8.6 or later. Versions prior to 39.8.1: Upgrade to version 39.8.1 or later. Versions prior to 40.8.1: Upgrade to version 40.8.1 or later. Versions prior to 41.0.0: Upgrade to version 41.0.0 or later. As a workaround, validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().