VYPR
← All advisories
Critical severity9.3GHSA Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow

CVE-2026-54257

Description

A critical vulnerability in Electron's Node.js Buffer API causes crashes and incorrect memory allocation, fixed in version 42.3.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A critical vulnerability in Electron's Node.js Buffer API causes crashes and incorrect memory allocation, fixed in version 42.3.3.

Vulnerability

The vulnerability resides in the Node.js Buffer API integration within Electron. Incorrect byte length calculations result in heap buffer underflow or overflow, leading to application crashes or unexpected buffer truncation and allocation. This affects all Electron releases prior to version 42.3.3. [1][2]

Exploitation

An attacker can trigger the vulnerability by providing crafted input that causes the Node.js Buffer API to perform incorrect memory operations. No authentication or user interaction is required beyond normal Buffer API usage. The attack vector is remote, as the vulnerability is exploitable over a network. [1]

Impact

Successful exploitation can cause application crashes or incorrect buffer allocations, potentially leading to memory corruption. This may allow an attacker to achieve information disclosure or denial of service. [1][2]

Mitigation

The fixed version is Electron 42.3.3 [2]. No workarounds exist; users must upgrade their Electron dependency. The advisory explicitly warns against using impacted releases. [1][2]

References
  1. CVE-2026-54257 - GitHub Advisory Database
  2. Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

2
061dd9c53b10

fix: dangling CFunction pointer in node:wasi fast API calls (#51867)

https://github.com/electron/electronSamuel AttardJun 3, 2026Fixed in 42.3.3via ghsa-release-walk
commit
1 file changed · +24 0
  • patches/node/electron_enable_node_startup_snapshot_generation_in_chromium_s_v8.patch+24 0 modified
    @@ -29,6 +29,17 @@ can be created from, eliminating the Node bootstrap recompile.
   snapshot's per-builtin cache.
 - node_mksnapshot.cc: read --electron-v8-snapshot-blob, set the c_function
   drop env var, plumb the base blob to the SnapshotCreator.
+- node_wasi.cc: make the per-instantiation CFunction in
+  WasiFunction::SetFunction static. Since the V8 change to store the
+  v8::CFunction pointer directly in FunctionTemplateInfo (wrapped in a
+  Foreign), the CFunction must outlive the FunctionTemplate; a stack
+  local leaves a dangling pointer that TurboFan dereferences when
+  compiling the fast API call, crashing the wasi tests under
+  --turbo-fast-api-calls. Mirrors the wasi half of
+  https://github.com/nodejs/node/pull/62572 (see also
+  https://github.com/v8/node/pull/254); the matching external
+  reference registration fix is already in node_external_reference.h
+  below.
 
 diff --git a/node.gni b/node.gni
 index 8239967653fee7791800ee3292e77b91bffaaef9..c71d66df5d78b8e86ef5cf405ca7c9c8d7e716ee 100644
@@ -179,6 +190,19 @@ index 8561933060ac30e3559d7ce2ac633d25f1e4d6ec..79dad674d21bc82096830eaf5a5100b0
  void SnapshotBuilder::InitializeIsolateParams(const SnapshotData* data,
                                                Isolate::CreateParams* params) {
    CHECK_NULL(params->snapshot_blob);
+diff --git a/src/node_wasi.cc b/src/node_wasi.cc
+index f5aff2f65fe6b9f48cf970ab3e7c57cfe4885f85..3a5108db01568649089c08ee6e3a34d91f136e3f 100644
+--- a/src/node_wasi.cc
++++ b/src/node_wasi.cc
+@@ -234,7 +234,7 @@ void WASI::New(const FunctionCallbackInfo<Value>& args) {
+ template <typename FT, FT F, typename R, typename... Args>
+ void WASI::WasiFunction<FT, F, R, Args...>::SetFunction(
+     Environment* env, const char* name, Local<FunctionTemplate> tmpl) {
+-  auto c_function = CFunction::Make(FastCallback);
++  static auto c_function = CFunction::Make(FastCallback);
+   Local<FunctionTemplate> t =
+       FunctionTemplate::New(env->isolate(),
+                             SlowCallback,
 diff --git a/tools/snapshot/node_mksnapshot.cc b/tools/snapshot/node_mksnapshot.cc
 index 0842cba257d0ca36e07c97736e5b24cc77f2a053..0ee1bd02a03b6d303861cd0f8353db6c1be9229f 100644
 --- a/tools/snapshot/node_mksnapshot.cc
22bbbc9f265d

build: disable LLVM unroll-add-parallel-reductions on Apple targets (#51849)

https://github.com/electron/electrontrop[bot]Jun 3, 2026Fixed in 42.3.3via release-tag
commit
2 files changed · +45 0
  • patches/chromium/build_disable_llvm_unroll-add-parallel-reductions_on_apple_targets.patch+44 0 added
    @@ -0,0 +1,44 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Samuel Attard <sam@electronjs.org>
+Date: Tue, 2 Jun 2026 09:49:15 -0700
+Subject: build: disable LLVM unroll-add-parallel-reductions on Apple targets
+
+LLVM's loop unroller miscompiles sub-form reductions when introducing
+parallel reduction phis (llvm/llvm-project#201065): the partial
+accumulators are recombined with alternating signs instead of being
+summed. Under ThinLTO + PGO this miscompiles simdutf's arm64
+utf8_length_from_latin1, undercounting UTF-8 lengths for Latin-1
+strings. In Electron this manifests as silently truncated
+Buffer.from()/TextEncoder.encode() results, incorrect
+Buffer.byteLength values, and a heap buffer overflow + CHECK crash in
+node::Utf8Value (fs.writeFileSync).
+
+The unroller only introduces parallel reduction phis organically for
+Apple M-like CPUs (getAppleRuntimeUnrollPreferences in
+AArch64TargetTransformInfo.cpp), so only Apple targets are affected;
+the flag is passed at link time, where ThinLTO backend codegen runs.
+
+This patch can be removed once the upstream fix
+(llvm/llvm-project#201066) ships in the bundled clang.
+
+diff --git a/build/config/compiler/BUILD.gn b/build/config/compiler/BUILD.gn
+index f2b15447535c0916dba2b55a9a68cf372e0e78ab..fb33361e1a28374f105ec5b7c36d409ca3fcb520 100644
+--- a/build/config/compiler/BUILD.gn
++++ b/build/config/compiler/BUILD.gn
+@@ -801,6 +801,16 @@ config("compiler") {
+       }
+     }
+ 
++    # Work around an LLVM miscompile of sub-form reductions when the unroller
++    # introduces parallel reduction phis (llvm/llvm-project#201065). The
++    # parallel reduction phis are only enabled organically for Apple M-like
++    # CPUs (getAppleRuntimeUnrollPreferences), so only Apple targets are
++    # affected. TODO: remove once the fix (llvm/llvm-project#201066) ships in
++    # the bundled clang.
++    if (is_apple) {
++      ldflags += [ "-Wl,-mllvm,-unroll-add-parallel-reductions=0" ]
++    }
++
+     # An import limit of 30 has better performance (per speedometer) and lower
+     # binary size than the default setting of 100.
+     # TODO(gbiv): We ideally shouldn't need to specify this; ThinLTO
  • patches/chromium/.patches+1 0 modified
    @@ -150,5 +150,6 @@ fix_use_fresh_lazynow_for_onendworkitemimpl_after_didruntask.patch
 fix_make_macos_text_replacement_work_on_contenteditable.patch
 fix_constrain_allowuniversalaccessfromfileurls_to_file_origins_in.patch
 build_fix_profile_runtime_resolution_for_pgo_instrumented_builds.patch
+build_disable_llvm_unroll-add-parallel-reductions_on_apple_targets.patch
 feat_carry_embedder_startup_data_in_createnewwindowreply.patch
 feat_deliver_service_worker_preload_data_via_embeddedworkerstartparams.patch

Vulnerability mechanics

Root cause

"LLVM's loop unroller miscompiles sub-form reductions on Apple M-like CPUs, causing simdutf's UTF-8 length calculation to undercount, leading to undersized buffer allocation."

Attack vector

An attacker supplies a Latin-1 string to Node.js `Buffer.from()` or `TextEncoder.encode()` on an Apple M-like CPU. LLVM's loop unroller miscompiles the UTF-8 length calculation, causing the buffer to be allocated too small. This can lead to a heap buffer overflow and a CHECK crash in `node::Utf8Value` (e.g., during `fs.writeFileSync`), or silently truncated data. No authentication or special network access is required beyond the ability to provide crafted string input to the affected APIs. [CWE-120] [patch_id=6110794]

What the fix does

The patch adds a linker flag `-Wl,-mllvm,-unroll-add-parallel-reductions=0` on Apple targets, which disables LLVM's parallel-reduction phi optimization in the loop unroller. This prevents the miscompilation of sub-form reductions that caused `simdutf`'s `utf8_length_from_latin1` to undercount UTF-8 lengths. The flag is applied at link time where ThinLTO backend codegen runs, and the commit notes the workaround can be removed once the upstream LLVM fix (llvm/llvm-project#201066) ships in the bundled clang. [patch_id=6110794]

Preconditions

  • configApplication runs on an Apple M-like CPU (Apple Silicon)
  • inputAttacker supplies a Latin-1 string to Node.js Buffer.from(), TextEncoder.encode(), or similar APIs

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.