CVE-2026-34776

CVSS v3.1

5.3

Medium

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L

Impact

On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.

This issue is limited to processes running as the same user as the Electron app.

Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions

41.0.0
40.8.1
39.8.1
38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

Fix

Out of bounds Read

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-125

Related Identifiers

CVE-2026-34776

GHSA-3C8V-CFP5-9885

Affected Products

Electron

CVE-2026-34776

Impact

Workarounds

Fixed Versions

For more information

Weakness Enumeration

Related Identifiers

Affected Products

References · 3