Arbitrary Write Vulnerability in Electron Framework for Desktop Applications
CVE-2026-34773

4.7MEDIUM

Key Information:

Vendor: Electron
Status: Electron
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-34773?

The Electron framework, which facilitates the development of cross-platform desktop applications, contains a vulnerability that allows untrusted protocol names to be processed without validation before they are written to the Windows registry. This flaw occurs in the function app.setAsDefaultProtocolClient(protocol), enabling potential exploitation where an attacker could write to arbitrary subkeys under HKCU\Software\Classes. Applications that derive protocol names from external or untrusted sources are at risk of compromising existing protocol handlers. To mitigate this issue, users are urged to update to versions 38.8.6, 39.8.1, 40.8.1, or 41.0.0.

Affected Version(s)

electron < 38.8.6 < 38.8.6

electron >= 39.0.0-alpha.1, < 39.8.1 < 39.0.0-alpha.1, 39.8.1

electron >= 40.0.0-alpha.1, < 40.8.1 < 40.0.0-alpha.1, 40.8.1

References

https://github.com/electron/electron/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34773 Data

JSON