Out-of-bounds Read Affecting electron package, versions <38.8.6>=39.0.0-alpha.1 <39.8.1>=40.0.0-alpha.2 <40.8.1>=41.0.0-alpha.1 <41.0.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-ELECTRON-15876361
- published3 Apr 2026
- disclosed3 Apr 2026
- creditUnknown
Introduced: 3 Apr 2026
NewCVE-2026-34776 (opens in a new tab)How to fix?
Upgrade electron to version 38.8.6, 39.8.1, 40.8.1, 41.0.0 or higher.
Overview
electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS.
Affected versions of this package are vulnerable to Out-of-bounds Read in the second-instance event handler when parsing a crafted second-instance message via the app.requestSingleInstanceLock process. An attacker can access sensitive memory contents or cause application instability by sending a specially crafted message from another process running as the same user.
Note:
This is only exploitable if the application calls app.requestSingleInstanceLock() and is running on macOS or Linux as the same user.