Electron: Out-of-bounds read in second-instance IPC on macOS and Linux

GHSA-3c8v-cfp5-9885 · CVE-2026-34776

Published Apr 3, 2026 · Modified Apr 6, 2026

Description

Impact

On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.

This issue is limited to processes running as the same user as the Electron app.

Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions

41.0.0
40.8.1
39.8.1
38.8.6

For more information

If there are any questions or comments about this advisory, please email security@electronjs.org

References

WEB https://github.com/electron/electron/security/advisories/GHSA-3c8v-cfp5-9885
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34776
PACKAGE https://github.com/electron/electron

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes