CVE-2026-34773
Published: 04 April 2026
Summary
CVE-2026-34773 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Electronjs Electron. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Modify Registry (T1112); ranked at the 6.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly mandates validation of untrusted inputs like protocol names before writing to the Windows registry, addressing the core improper input validation flaw in Electron's app.setAsDefaultProtocolClient().
SI-2 requires timely identification, reporting, and patching of flaws such as CVE-2026-34773, ensuring Electron is updated to versions with proper protocol validation.
CM-5 restricts and verifies access to configuration changes like registry writes under HKCU\Software\Classes\, limiting the impact of arbitrary subkey modifications even if input validation fails.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unvalidated protocol names to be passed to app.setAsDefaultProtocolClient(), resulting in arbitrary writes to HKCU\Software\Classes\ registry subkeys. This directly enables T1112: Modify Registry to hijack protocol handlers.
NVD Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, on Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted…
more
input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers. Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.
Deeper analysisAI
CVE-2026-34773 is a vulnerability in the Electron framework, which enables developers to build cross-platform desktop applications using JavaScript, HTML, and CSS. On Windows systems, versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0 of Electron fail to validate the protocol name passed to the app.setAsDefaultProtocolClient(protocol) method before writing to the Windows registry. This improper input validation (CWE-20 and CWE-74) allows applications that supply untrusted or external input as the protocol name to inadvertently write to arbitrary subkeys under HKCU\Software\Classes\, potentially enabling protocol handler hijacking. Applications using hardcoded protocol names remain unaffected.
Exploitation requires local access to the target system (AV:L) by an attacker with low privileges (PR:L), though it demands high attack complexity (AC:H) due to the need for the vulnerable application to process untrusted input via the affected API. A successful attack grants high integrity impact (I:H) with no confidentiality or availability disruption, allowing the attacker to overwrite or manipulate registry entries for existing protocol handlers. This could redirect user interactions with specific protocols to malicious handlers controlled by the attacker.
The Electron security advisory at https://github.com/electron/electron/security/advisories/GHSA-mwmh-mq4g-g6gr confirms the issue has been addressed in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0 through proper validation of the protocol name parameter. Security practitioners should urge developers to update Electron dependencies immediately if using the app.setAsDefaultProtocolClient() method with dynamic inputs and audit applications for untrusted protocol handling to mitigate exposure.
Details
- CWE(s)