VYPR
Get started
← All advisories
High severity7.0NVD Advisory· Published Apr 4, 2026· Updated Apr 22, 2026

CVE-2026-34770

CVE-2026-34770

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption. All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
electronnpm
< 38.8.638.8.6
electronnpm
>= 39.0.0-alpha.1, < 39.8.139.8.1
electronnpm
>= 40.0.0-alpha.1, < 40.8.040.8.0
electronnpm
>= 41.0.0-alpha.1, < 41.0.0-beta.841.0.0-beta.8

Affected products

14
  • Electronjs/Electron14 versions
    cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*+ 13 more
    • cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
    • cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*range: <38.8.6

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.