CVE-2026-34771

CVE-2026-34771 is a use-after-free vulnerability (CWE-416) in the Electron framework, which enables development of cross-platform desktop applications using JavaScript, HTML, and CSS. It affects Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, specifically applications that register an asynchronous session.setPermissionRequestHandler(). The flaw occurs when handling fullscreen, pointer-lock, or keyboard-lock permission requests; if the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback can dereference freed memory, potentially causing a crash or memory corruption. Applications without a permission request handler or those using a synchronous handler are not affected. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-04.

An attacker can exploit this vulnerability over the network against Electron-based desktop applications by crafting malicious content that triggers the affected permission requests. Exploitation requires user interaction, such as granting permissions in a fullscreen, pointer-lock, or keyboard-lock context, and high attack complexity, typically involving timing the navigation or window closure precisely while the asynchronous handler is pending. Successful exploitation leads to memory corruption or application crashes, with potential for high confidentiality, integrity, and availability impacts depending on the application's privileges and context.

The Electron security advisory at https://github.com/electron/electron/security/advisories/GHSA-8337-3p73-46f4 confirms the issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8. Security practitioners should urge developers of affected Electron applications to update immediately and audit permission handlers to ensure synchronous responses or avoid asynchronous handling for the specified request types where possible.