Electron: Crash in clipboard.readImage() on malformed clipboard image data
GHSA-f37v-82c4-4x64 · CVE-2026-34781
Published · Modified
Description
Impact
Apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process.
Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution.
Workarounds
Validate that the clipboard contains image data via clipboard.availableFormats() before calling clipboard.readImage(). Note this only narrows the window — upgrading to a fixed version is recommended.
Fixed Versions
42.0.0-alpha.541.1.040.8.539.8.5
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
References
- WEB https://github.com/electron/electron/security/advisories/GHSA-f37v-82c4-4x64
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34781
- WEB https://github.com/electron/electron/pull/50475
- WEB https://github.com/electron/electron/commit/a48f03fb8d03933547281ddb2dbb6c6b9e705287
- PACKAGE https://github.com/electron/electron
- WEB https://github.com/electron/electron/releases/tag/v39.8.5
- WEB https://github.com/electron/electron/releases/tag/v40.8.5
- WEB https://github.com/electron/electron/releases/tag/v41.1.0
- WEB https://github.com/electron/electron/releases/tag/v42.0.0-alpha.5
Ready to move
Start Securing
Free, no credit card | First findings in minutes