{"id":"GHSA-3c8v-cfp5-9885","summary":"Electron: Out-of-bounds read in second-instance IPC on macOS and Linux","details":"### Impact\nOn macOS and Linux, apps that call `app.requestSingleInstanceLock()` were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's `second-instance` event handler.\n\nThis issue is limited to processes running as the same user as the Electron app.\n\nApps that do not call `app.requestSingleInstanceLock()` are not affected. Windows is not affected by this issue.\n\n### Workarounds\nThere are no app side workarounds, developers must update to a patched version of Electron.\n\n### Fixed Versions\n* `41.0.0`\n* `40.8.1`\n* `39.8.1`\n* `38.8.6`\n\n### For more information\nIf there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)","aliases":["CVE-2026-34776"],"modified":"2026-04-06T23:20:11.001628Z","published":"2026-04-03T02:43:59Z","database_specific":{"severity":"MODERATE","nvd_published_at":"2026-04-04T00:16:18Z","cwe_ids":["CWE-125"],"github_reviewed_at":"2026-04-03T02:43:59Z","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34776"},{"type":"PACKAGE","url":"https://github.com/electron/electron"}],"affected":[{"package":{"name":"electron","ecosystem":"npm","purl":"pkg:npm/electron"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"38.8.6"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-3c8v-cfp5-9885/GHSA-3c8v-cfp5-9885.json"}},{"package":{"name":"electron","ecosystem":"npm","purl":"pkg:npm/electron"},"ranges":[{"type":"SEMVER","events":[{"introduced":"39.0.0-alpha.1"},{"fixed":"39.8.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-3c8v-cfp5-9885/GHSA-3c8v-cfp5-9885.json"}},{"package":{"name":"electron","ecosystem":"npm","purl":"pkg:npm/electron"},"ranges":[{"type":"SEMVER","events":[{"introduced":"40.0.0-alpha.1"},{"fixed":"40.8.1"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-3c8v-cfp5-9885/GHSA-3c8v-cfp5-9885.json"}},{"package":{"name":"electron","ecosystem":"npm","purl":"pkg:npm/electron"},"ranges":[{"type":"SEMVER","events":[{"introduced":"41.0.0-alpha.1"},{"fixed":"41.0.0"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-3c8v-cfp5-9885/GHSA-3c8v-cfp5-9885.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L"}]}