Out-of-Bounds Heap Read Vulnerability in Electron Framework on macOS and Linux
CVE-2026-34776

5.3MEDIUM

Key Information:

Vendor: Electron
Status: Electron
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-34776?

The Electron framework, used for building cross-platform desktop applications, contains a vulnerability that affects specific versions on macOS and Linux. When apps utilize the app.requestSingleInstanceLock() method, they become susceptible to an out-of-bounds heap read when processing a specially crafted second-instance message. This flaw could result in sensitive memory being unintentionally exposed to the app's second-instance event handler, posing a significant privacy risk. It is vital to note that this vulnerability does not affect applications running on Windows, nor does it impact those that do not employ the app.requestSingleInstanceLock() function. Users and developers are encouraged to update to the latest patched versions—38.8.6, 39.8.1, 40.8.1, and 41.0.0—to mitigate the risks.

Affected Version(s)

electron < 38.8.6 < 38.8.6

electron >= 39.0.0-alpha.1, < 39.8.1 < 39.0.0-alpha.1, 39.8.1

electron >= 40.0.0-alpha.1, < 40.8.1 < 40.0.0-alpha.1, 40.8.1

References

https://github.com/electron/electron/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34776 Data

JSON