Cyber Resilience

CVE-2026-34771

HighUpdated

Published: 04 April 2026

Published
04 April 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0029 20.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34771 is a high-severity Use After Free (CWE-416) vulnerability in Electronjs Electron. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34771 is a use-after-free vulnerability (CWE-416) in the Electron framework, which enables development of cross-platform desktop applications using JavaScript, HTML, and CSS. It affects Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, specifically applications that register an asynchronous session.setPermissionRequestHandler(). The flaw occurs when handling fullscreen, pointer-lock, or keyboard-lock permission requests; if the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback can dereference freed memory, potentially causing a crash or memory corruption. Applications without a permission request handler or those using a synchronous handler are not affected. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-04-04.

An attacker can exploit this vulnerability over the network against Electron-based desktop applications by crafting malicious content that triggers the affected permission requests. Exploitation requires user interaction, such as granting permissions in a fullscreen, pointer-lock, or keyboard-lock context, and high attack complexity, typically involving timing the navigation or window closure precisely while the asynchronous handler is pending. Successful exploitation leads to memory corruption or application crashes, with potential for high confidentiality, integrity, and availability impacts depending on the application's privileges and context.

The Electron security advisory at https://github.com/electron/electron/security/advisories/GHSA-8337-3p73-46f4 confirms the issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8. Security practitioners should urge developers of affected Electron applications to update immediately and audit permission handlers to ensure synchronous responses or avoid asynchronous handling for the specified request types where possible.

EU & UK References

Vulnerability details

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, apps that register an asynchronous session.setPermissionRequestHandler() may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock…

more

permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption. Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Use-after-free in Electron client framework enables network-based exploitation of desktop apps via malicious content triggering permission handlers, directly mapping to Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34770Same product: Electronjs Electron
CVE-2026-34772Same product: Electronjs Electron
CVE-2026-34774Same product: Electronjs Electron
CVE-2026-34769Same product: Electronjs Electron
CVE-2026-34765Same product: Electronjs Electron
CVE-2026-34775Same product: Electronjs Electron
CVE-2026-34780Same product: Electronjs Electron
CVE-2026-34768Same product: Electronjs Electron
CVE-2026-34779Same product: Electronjs Electron
CVE-2026-34773Same product: Electronjs Electron

Affected Assets

electronjs
electron
41.0.0 · ≤ 38.8.6 · 39.0.0 — 39.8.0 · 40.0.0 — 40.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the use-after-free vulnerability by requiring timely identification, reporting, and patching of affected Electron versions to eliminate the flaw.

detect

Enables detection of vulnerable Electron-based applications through regular vulnerability scanning, facilitating prompt flaw remediation.

prevent

Implements memory protection mechanisms that hinder exploitation of the use-after-free by preventing unauthorized memory access and code execution.

References