CVE-2026-34772
Published: 04 April 2026
Summary
CVE-2026-34772 is a medium-severity Use After Free (CWE-416) vulnerability in Electronjs Electron. Its CVSS base score is 5.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the use-after-free vulnerability by requiring identification, reporting, and correction via upgrades to patched Electron versions 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8.
Prevents the vulnerability trigger by configuring Electron applications to least functionality, such as disabling downloads or programmatic session destruction when not required.
Mitigates potential exploitation of the use-after-free memory corruption through memory protection techniques like range validation and prevention of unauthorized memory access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free leading to memory corruption in Electron client applications directly enables exploitation for client execution to achieve information disclosure or crashes.
NVD Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is…
more
torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption. Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.
Deeper analysisAI
CVE-2026-34772 is a use-after-free vulnerability (CWE-416) in the Electron framework, which enables developers to build cross-platform desktop applications using JavaScript, HTML, and CSS. It affects Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, but only in applications that both permit downloads and programmatically destroy sessions at runtime. The flaw occurs when a session is torn down while a native save-file dialog remains open for a download; dismissing the dialog then dereferences already-freed memory, potentially causing a crash or memory corruption. Applications that do not destroy sessions dynamically or disable downloads are unaffected. The issue carries a CVSS v3.1 base score of 5.8 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L).
Exploitation requires local access to the target system with no privileges (PR:N), but demands high attacker complexity (AC:H) and user interaction (UI:R), such as the victim dismissing a download save dialog at a precise moment when the application tears down the session. A successful attack could result in high confidentiality impact through memory corruption enabling information disclosure, alongside low integrity and availability impacts like application crashes.
The Electron security advisory at https://github.com/electron/electron/security/advisories/GHSA-9w97-2464-8783 details the patch, recommending upgrades to Electron 38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8 for remediation. Developers should audit applications for session destruction during active downloads and consider disabling unnecessary download features if patching is delayed.
Details
- CWE(s)