logo

Database

Out-of-bounds read In electron

Description

Electron: Out-of-bounds read in second-instance IPC on macOS and Linux

Impact

On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.

This issue is limited to processes running as the same user as the Electron app.

Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions

    41.0.0

    40.8.1

    39.8.1

    38.8.6

For more information

If there are any questions or comments about this advisory, please email [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-347762. NVD-2026-347763. OSV-2026-347764. GHSA-3c8v-cfp5-98855. GCVE-2026-34776

References

1. https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.