Electron: USB device selection not validated against filtered device list
GHSA-9899-m83m-qhpj · CVE-2026-34766
Published · Modified
Description
Impact
The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters.
The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6
For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
Ready to move
Start Securing
Free, no credit card | First findings in minutes