Medium severityOSV Advisory· Published Jul 1, 2025· Updated Apr 15, 2026

CVE-2024-46993

Description

Electron is an open source framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. In versions prior to 28.3.2, 29.3.3, and 30.0.3, the nativeImage.createFromPath() and nativeImage.createFromBuffer() functions call a function downstream that is vulnerable to a heap buffer overflow. An Electron program that uses either of the affected functions is vulnerable to a buffer overflow if an attacker is in control of the image's height, width, and contents. This issue has been patched in versions 28.3.2, 29.3.3, and 30.0.3. There are no workarounds for this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
electronnpm	< 28.3.2	28.3.2
electronnpm	>= 29.0.0-alpha.1, < 29.3.3	29.3.3
electronnpm	>= 30.0.0-alpha.1, < 30.0.3	30.0.3

Affected products

Electronjs/ElectronOSV
Range: v0.1.0, v0.1.1, v0.1.2, …

Patches

db688056d8d4

https://github.com/electron/electronvia osv

4517547f07f6

https://github.com/electron/electronvia osv

8969189a7235

https://github.com/electron/electronvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-6r2x-8pq8-9489ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-46993ghsaADVISORY
github.com/electron/electron/security/advisories/GHSA-6r2x-8pq8-9489nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000