You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
An undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.
Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected.
Workarounds
Do not spread untrusted input into webPreferences. Use an explicit allowlist of permitted preference keys when constructing BrowserWindow or webContents options from external configuration.
Fixed Versions
41.0.0-beta.8
40.7.0
39.8.0
38.8.6
For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
On Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.
On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.
Workarounds
Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.
Fixed Versions
41.0.0-beta.8
40.8.0
39.8.1
38.8.6
For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
Apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.
An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.
Apps that do not reflect external input into response headers are not affected.
Workarounds
Validate or sanitize any untrusted input before including it in a response header name or value.
Fixed Versions
41.0.3
40.8.3
39.8.3
38.8.6
For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
The select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters.
The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.8
40.7.0
39.8.0
38.8.6
For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
Apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.
All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.8
40.8.0
39.8.1
38.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption.
Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected.
Workarounds
Avoid destroying sessions while a download save dialog may be open. Cancel pending downloads before session teardown.
Fixed Versions
41.0.0-beta.7
40.7.0
39.8.0
38.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.
Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.
Workarounds
Deny child window creation from offscreen renderers in your setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.
Fixed Versions
41.0.0
40.7.0
39.8.1
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
The nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration.
Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected.
Workarounds
Avoid enabling nodeIntegrationInWorker in apps that also open child windows or embed content with differing webPreferences.
Fixed Versions
41.0.0
40.8.4
39.8.4
38.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Apps that register an asynchronous session.setPermissionRequestHandler() may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption.
Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected.
Workarounds
Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required.
Fixed Versions
41.0.0-beta.8
40.7.0
39.8.0
38.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
On Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes\, potentially hijacking existing protocol handlers.
Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.
Workarounds
Validate the protocol name matches /^[a-zA-Z][a-zA-Z0-9+.-]*$/ before passing it to app.setAsDefaultProtocolClient().
Fixed Versions
41.0.0
40.8.1
39.8.1
38.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
When an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content.
The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected.
Workarounds
In your setPermissionRequestHandler, inspect details.requestingUrl rather than the origin parameter or webContents.getURL() when deciding whether to grant fullscreen, pointerLock, keyboardLock, openExternal, or media permissions.
Fixed Versions
41.0.0
40.8.1
39.8.1
38.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data.
Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions.
Workarounds
Do not trust the return value of webContents.executeJavaScript() for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.
Fixed Versions
41.0.0
40.8.1
39.8.1
38.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.
This issue is limited to processes running as the same user as the Electron app.
Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.
Workarounds
There are no app side workarounds, developers must update to a patched version of Electron.
Fixed Versions
41.0.0
40.8.1
39.8.1
38.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
On macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.
Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected.
Workarounds
There are no app side workarounds, developers must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.8
40.8.0
39.8.1
38.8.6
For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption.
Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected.
Workarounds
Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable.
Fixed Versions
42.0.0-alpha.5
41.1.0
40.8.5
39.8.5
For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
Apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process.
Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution.
Workarounds
Validate that the clipboard contains image data via clipboard.availableFormats() before calling clipboard.readImage(). Note this only narrows the window — upgrading to a fixed version is recommended.
Fixed Versions
42.0.0-alpha.5
41.1.0
40.8.5
39.8.5
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
When a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions.
Apps are only affected if they open multiple top-level windows with differing trust levels and use setWindowOpenHandler to grant child windows elevated webPreferences such as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected.
Apps that additionally grant nodeIntegration: true or sandbox: false to child windows (contrary to the security recommendations) may be exposed to arbitrary code execution.
Workarounds
Deny window.open() in renderers that load untrusted content by returning { action: 'deny' } from setWindowOpenHandler. Avoid granting child windows more permissive webPreferences than their opener.
Fixed Versions
42.0.0-alpha.5
41.1.0
40.8.5
39.8.5
For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Fixed an issue where nodeIntegrationInWorker overrides in setWindowOpenHandler were not honored for child windows sharing a renderer process with their opener. #50468(Also in 38, 40, 41)
Fixed crash when handling JavaScript dialogs from windows opened with invalid or empty URLs. #50400(Also in 40, 41, 42)
Fixed improper focus tracking in BaseWindow on MacOS. #50338(Also in 40, 41, 42)
Fixed window freeze when failing to enter/exit fullscreen on macOS. #50341(Also in 40, 41, 42)
Other Changes
Added support for using a proxy during yarn install. #50349(Also in 40, 41, 42)
Added validation to protocol client methods to reject protocol names that do not conform to the RFC 3986 URI scheme grammar. #50156(Also in 38, 40, 41)
Fixed an issue on macOS where calling autoUpdater.quitAndInstall() could fail if checkForUpdates() was called again after an update was already downloaded. #50215(Also in 40, 41)
Fixed an issue where Chrome Devtools menus may not appear in certain embedded windows. #50136(Also in 40, 41)
Fixed an issue where additionalData passed to app.requestSingleInstanceLock on Windows could be truncated or fail to deserialize in the primary instance's second-instance event. #50174(Also in 38, 40, 41)
Fixed an issue where screen.getCursorScreenPoint() crashed on Wayland when it was called before a BrowserWindow had been created. #50106(Also in 40, 41)
Fixed an issue where calling setBounds on a WebContentsView could trigger redundant page-favicon-updated events even when the favicon had not changed. #50086(Also in 40, 41)
Fixed an issue where invalid characters in custom protocol or webRequest response header values were not rejected. #50129(Also in 38, 40, 41)
Fixed an issue where permission and device-chooser handlers received the top-level page origin instead of the requesting subframe's origin. #50147(Also in 38, 40, 41)
Fixed an issue where traffic light buttons would flash at position (0,0) when restoring a window with a custom trafficLightPosition from minimization on macOS. #50208(Also in 40, 41)
Fixed bug where opening a message box immediately upon closing a child window may cause the parent window to freeze on Windows. #50190(Also in 40, 41)
Fixed menu bar hiding after a call to win.setFullScreen(false) when not in fullscreen on Linux. #49995(Also in 40, 41)
Fixed shutdown crash on windows when hidden titlebar is enabled. #50054(Also in 40, 41)
Reverted AltGr key fix that caused menu bar to no longer show on Windows. #50109(Also in 40, 41)
Added support for --experimental-transform-types. #49881(Also in 40, 41)
Fixes
Fixed an issue on macOS where Universal Links were not delivered to app.on('continue-activity') on cold launch when NSUserActivity.userInfo was nil. #50004(Also in 40, 41)
Fixed an issue where VideoFrame objects returned through contextBridge had an incorrect prototype. #50021(Also in 40, 41)
Fixed an issue where setting zoomFactor in setWindowOpenHandler's overrideBrowserWindowOptions had no effect on windows opened via window.open(). #49910(Also in 40, 41)
Fixed a crash that could occur when using the File System Access API. #49634(Also in 40, 41)
Fixed an issue where alt+space triggered th system context menu even if an accelerator was registered for the hotkey combination. #49641(Also in 40, 41)
Fixed an issue where role-based menu items were incorrectly returning null for their accelerator property. #49670(Also in 40, 41)
Fixed application input broken on certain wayland compositors when DND action was cancelled. #49694
Fixed dock menu items not respecting enabled and checked properties on macOS. #49626(Also in 38, 40, 41)
Other Changes
Refactored our MSIX updater code to use an upstream Chromium pattern and eliminates the need for special exception handling build flags. #49688(Also in 40, 41)
Unknown
Fixed squirrel.mac stacked update behavior to old staged updates. #49637(Also in 40, 41)
Fixed an issue in chrome://accessibility. #49559(Also in 40, 41)
Fixed an issue where shell.writeShortcutLink was throwing TypeError: Insufficient number of arguments when called with just [(path, options)]. #49502(Also in 40, 41)
Fixed crash in platform_util::Beep() on Linux. #49484(Also in 40, 41)
Fixed a Windows notification issue where clicking a native notification would result in an application hang on certain Windows environments. #49130(Also in 40)
Fixed an issue where menu-did-close was not emitted properly for some application menus. #49093(Also in 38, 40)
Reduced amount of visual artifacts while resizing a window on Windows. #49076
Other Changes
Fixed devtools element panel flickering when with node inspection. #49044(Also in 40)
Fixed an issue where the close callback param for menu.popup would fire when any arbitrary submenu of the given menu closed, and not the menu itself. #49045(Also in 38, 40)
Fixed crash when reading system certificates via nodejs tls module. #49042(Also in 40)
Fixed the issue where the parent window leave disabled after the modal window call show() multiple time. #49019(Also in 38, 40)
Added colorSpace to offscreen shared texture info of webContents.on('paint') event.
Breaking Changed the signature of OffscreenSharedTexture to provide a unified handle that holds the native handle. #47315
Fixed a spec compliance issue with window.open where it should always create a resizable popup window but did not. #47540
For breaking changes inherited via Chromium, see blog post
Features
Additions
Added RGBAF16 output format with scRGB HDR color space support to Offscreen Rendering. #48504
Added fileBacked and purgeable fields to process.getSystemMemoryInfo() for macOS. #47628(Also in 37, 38)
Added support for guidTray constructor option on macOS to allow tray icons to maintain position across launches. #47838(Also in 36, 37, 38)
Added webFrameMain.fromFrameToken(processId, frameToken) to get a WebFrameMain instance from its frame token. #47850(Also in 38)
Added methods to enable more granular accessibility support management. #48625
Added support for app.getRecentDocuments() on Windows and macOS. #45839(Also in 36, 37, 38)
Added support for USBDevice.configurations. #47459
Added the ability to retrieve the system accent color on Linux using systemPreferences.getAccentColor. #48628
Adds the ability to change window accent color on Windows after initial window initialization via {get|set}AccentColor. #47741(Also in 36, 37, 38)
Allowed for persisting File System API grant status within a given session. #48326(Also in 37, 38)
Internally switched to using DIR_ASSETS instead of DIR_MODULE/DIR_EXE to locate assets and resources, and added "assets" as a key that can be queried via app.getPath. #47439(Also in 37, 38)
Support dynamic ESM imports in non-context isolated preloads. #48488(Also in 37, 38)
Fixes
Fixed an issue where systemPreferences.getAccentColor inverted the color. #48624
Fixed an issue where calling webContents.openDevTools({ mode: 'detach' }) would cause a crash on Wayl
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
bot
force-pushed
the
renovate/npm-electron-vulnerability
branch
from
This PR contains the following updates:
35.7.5→39.8.5GitHub Vulnerability Alerts
CVE-2026-34769
Impact
An undocumented
commandLineSwitcheswebPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that constructwebPreferencesby spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls.Apps are only affected if they construct
webPreferencesfrom external or untrusted input without an allowlist. Apps that use a fixed, hardcodedwebPreferencesobject are not affected.Workarounds
Do not spread untrusted input into
webPreferences. Use an explicit allowlist of permitted preference keys when constructingBrowserWindoworwebContentsoptions from external configuration.Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
CVE-2026-34768
Impact
On Windows,
app.setLoginItemSettings({openAtLogin: true})wrote the executable path to theRunregistry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app.On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location.
Workarounds
Install the application to a path without spaces, or to a location where all ancestor directories are protected against unauthorized writes.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
CVE-2026-34767
Impact
Apps that register custom protocol handlers via
protocol.handle()/protocol.registerSchemesAsPrivileged()or modify response headers viawebRequest.onHeadersReceivedmay be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value.An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls.
Apps that do not reflect external input into response headers are not affected.
Workarounds
Validate or sanitize any untrusted input before including it in a response header name or value.
Fixed Versions
41.0.340.8.339.8.338.8.6For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
CVE-2026-34766
Impact
The
select-usb-deviceevent callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requestedfiltersor was listed inexclusionFilters.The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic.
Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
CVE-2026-34770
Impact
Apps that use the
powerMonitormodule may be vulnerable to a use-after-free. After the nativePowerMonitorobject is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.All apps that access
powerMonitorevents (suspend,resume,lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
CVE-2026-34772
Impact
Apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption.
Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected.
Workarounds
Avoid destroying sessions while a download save dialog may be open. Cancel pending downloads before session teardown.
Fixed Versions
41.0.0-beta.740.7.039.8.038.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
CVE-2026-34774
Impact
Apps that use offscreen rendering and allow child windows via
window.open()may be vulnerable to a use-after-free. If the parent offscreenWebContentsis destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.Apps are only affected if they use offscreen rendering (
webPreferences.offscreen: true) and theirsetWindowOpenHandlerpermits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.Workarounds
Deny child window creation from offscreen renderers in your
setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.Fixed Versions
41.0.040.7.039.8.1For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
CVE-2026-34775
Impact
The
nodeIntegrationInWorkerwebPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured withnodeIntegrationInWorker: falsecould still receive Node.js integration.Apps are only affected if they enable
nodeIntegrationInWorker. Apps that do not usenodeIntegrationInWorkerare not affected.Workarounds
Avoid enabling
nodeIntegrationInWorkerin apps that also open child windows or embed content with differing webPreferences.Fixed Versions
41.0.040.8.439.8.438.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
CVE-2026-34771
Impact
Apps that register an asynchronous
session.setPermissionRequestHandler()may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption.Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected.
Workarounds
Respond to permission requests synchronously, or deny fullscreen, pointer-lock, and keyboard-lock requests if an asynchronous flow is required.
Fixed Versions
41.0.0-beta.840.7.039.8.038.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
CVE-2026-34773
Impact
On Windows,
app.setAsDefaultProtocolClient(protocol)did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys underHKCU\Software\Classes\, potentially hijacking existing protocol handlers.Apps are only affected if they call
app.setAsDefaultProtocolClient()with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected.Workarounds
Validate the protocol name matches
/^[a-zA-Z][a-zA-Z0-9+.-]*$/before passing it toapp.setAsDefaultProtocolClient().Fixed Versions
41.0.040.8.139.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
CVE-2026-34777
Impact
When an iframe requests
fullscreen,pointerLock,keyboardLock,openExternal, ormediapermissions, the origin passed tosession.setPermissionRequestHandler()was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter orwebContents.getURL()may inadvertently grant permissions to embedded third-party content.The correct requesting URL remains available via
details.requestingUrl. Apps that already checkdetails.requestingUrlare not affected.Workarounds
In your
setPermissionRequestHandler, inspectdetails.requestingUrlrather than the origin parameter orwebContents.getURL()when deciding whether to grantfullscreen,pointerLock,keyboardLock,openExternal, ormediapermissions.Fixed Versions
41.0.040.8.139.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
CVE-2026-34778
Impact
A service worker running in a session could spoof reply messages on the internal IPC channel used by
webContents.executeJavaScript()and related methods, causing the main-process promise to resolve with attacker-controlled data.Apps are only affected if they have service workers registered and use the result of
webContents.executeJavaScript()(orwebFrameMain.executeJavaScript()) in security-sensitive decisions.Workarounds
Do not trust the return value of
webContents.executeJavaScript()for security decisions. Use dedicated, validated IPC channels for security-relevant communication with renderers.Fixed Versions
41.0.040.8.139.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
CVE-2026-34776
Impact
On macOS and Linux, apps that call
app.requestSingleInstanceLock()were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app'ssecond-instanceevent handler.This issue is limited to processes running as the same user as the Electron app.
Apps that do not call
app.requestSingleInstanceLock()are not affected. Windows is not affected by this issue.Workarounds
There are no app side workarounds, developers must update to a patched version of Electron.
Fixed Versions
41.0.040.8.139.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
CVE-2026-34779
Impact
On macOS,
app.moveToApplicationsFolder()used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt.Apps are only affected if they call
app.moveToApplicationsFolder(). Apps that do not use this API are not affected.Workarounds
There are no app side workarounds, developers must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
CVE-2026-34764
Impact
Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the
release()callback provided on apaintevent texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption.Apps are only affected if they use offscreen rendering with
webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected.Workarounds
Ensure
texture.release()is called promptly after the texture has been consumed, before the texture object becomes unreachable.Fixed Versions
42.0.0-alpha.541.1.040.8.539.8.5For more information
If there are any questions or comments about this advisory, send an email to security@electronjs.org
CVE-2026-34781
Impact
Apps that call
clipboard.readImage()may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process.Apps are only affected if they call
clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution.Workarounds
Validate that the clipboard contains image data via
clipboard.availableFormats()before callingclipboard.readImage(). Note this only narrows the window — upgrading to a fixed version is recommended.Fixed Versions
42.0.0-alpha.541.1.040.8.539.8.5For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
CVE-2026-34765
Impact
When a renderer calls
window.open()with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissivewebPreferences(viasetWindowOpenHandler'soverrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions.Apps are only affected if they open multiple top-level windows with differing trust levels and use
setWindowOpenHandlerto grant child windows elevatedwebPreferencessuch as a privileged preload script. Apps that do not elevate child window privileges, or that use a single top-level window, are not affected.Apps that additionally grant
nodeIntegration: trueorsandbox: falseto child windows (contrary to the security recommendations) may be exposed to arbitrary code execution.Workarounds
Deny
window.open()in renderers that load untrusted content by returning{ action: 'deny' }fromsetWindowOpenHandler. Avoid granting child windows more permissivewebPreferencesthan their opener.Fixed Versions
42.0.0-alpha.541.1.040.8.539.8.5For more information
If you have any questions or comments about this advisory, email us at security@electronjs.org
Release Notes
electron/electron (electron)
v39.8.5: electron v39.8.5Compare Source
Release Notes for v39.8.5
Fixes
clipboard.readImage()when the clipboard contains malformed image data. #50493 (Also in 40, 41, 42)release()after the texture object was garbage collected. #50499 (Also in 40, 41, 42)v39.8.4: electron v39.8.4Compare Source
Release Notes for v39.8.4
Fixes
nodeIntegrationInWorkeroverrides insetWindowOpenHandlerwere not honored for child windows sharing a renderer process with their opener. #50468 (Also in 38, 40, 41)Other Changes
4859353. #504404893813. #504434847510,4871177. #50461v39.8.3: electron v39.8.3Compare Source
Release Notes for v39.8.3
Fixes
fscopy methods. #50284 (Also in 40, 41, 42)v39.8.2: electron v39.8.2Compare Source
Release Notes for v39.8.2
Other Changes
v39.8.1: electron v39.8.1Compare Source
Release Notes for v39.8.1
Fixes
autoUpdater.quitAndInstall()could fail ifcheckForUpdates()was called again after an update was already downloaded. #50215 (Also in 40, 41)additionalDatapassed toapp.requestSingleInstanceLockon Windows could be truncated or fail to deserialize in the primary instance'ssecond-instanceevent. #50174 (Also in 38, 40, 41)screen.getCursorScreenPoint()crashed on Wayland when it was called before aBrowserWindowhad been created. #50106 (Also in 40, 41)setBoundson aWebContentsViewcould trigger redundantpage-favicon-updatedevents even when the favicon had not changed. #50086 (Also in 40, 41)trafficLightPositionfrom minimization on macOS. #50208 (Also in 40, 41)win.setFullScreen(false)when not in fullscreen on Linux. #49995 (Also in 40, 41)Other Changes
v39.8.0: electron v39.8.0Compare Source
Release Notes for v39.8.0
Features
--experimental-transform-types. #49881 (Also in 40, 41)Fixes
app.on('continue-activity')on cold launch whenNSUserActivity.userInfowas nil. #50004 (Also in 40, 41)VideoFrameobjects returned throughcontextBridgehad an incorrect prototype. #50021 (Also in 40, 41)zoomFactorinsetWindowOpenHandler'soverrideBrowserWindowOptionshad no effect on windows opened viawindow.open(). #49910 (Also in 40, 41)v39.7.0: electron v39.7.0Compare Source
Release Notes for v39.7.0
Features
long-animation-framescript attribution (via--enable-features=AlwaysLogLOAFURL). #49771 (Also in 40, 41)Fixes
v39.6.1: electron v39.6.1Compare Source
Release Notes for v39.6.1
Fixes
v39.6.0: electron v39.6.0Compare Source
Release Notes for v39.6.0
Features
Fixes
CoreAudio Tap APIfor audio capture used in electron'sdesktopCapturer(🍏 macOS). #49740 (Also in 41)Other Changes
4835695. #49791v39.5.2: electron v39.5.2Compare Source
Release Notes for v39.5.2
Fixes
nullfor their accelerator property. #49670 (Also in 40, 41)Other Changes
Unknown
v39.5.1: electron v39.5.1Compare Source
Release Notes for v39.5.1
Fixes
v39.5.0: electron v39.5.0Compare Source
Release Notes for v39.5.0
Features
Fixes
v39.4.0: electron v39.4.0Compare Source
Release Notes for v39.4.0
Fixes
chrome://accessibility. #49559 (Also in 40, 41)shell.writeShortcutLinkwas throwingTypeError: Insufficient number of argumentswhen called with just[(path, options)]. #49502 (Also in 40, 41)Other Changes
Unknown
v39.3.0: electron v39.3.0Compare Source
Release Notes for v39.3.0
Features
loginevent onwebContents. #49065 (Also in 40)Fixes
setRepresentedFilename()not settingAXDocumentaccessibility attribute on macOS. #49418 (Also in 40)netare now capable of having their headers modified to use reserved headers viawebRequest. #49242 (Also in 40)Other Changes
4667866. #49287v39.2.7: electron v39.2.7Compare Source
Release Notes for v39.2.7
Other Changes
v39.2.6: electron v39.2.6Compare Source
Release Notes for v39.2.6
Fixes
Other Changes
v39.2.5: electron v39.2.5Compare Source
Release Notes for v39.2.5
Fixes
menu-did-closewas not emitted properly for some application menus. #49093 (Also in 38, 40)Other Changes
v39.2.4: electron v39.2.4Compare Source
Release Notes for v39.2.4
Fixes
menu.popupwould fire when any arbitrary submenu of the given menu closed, and not the menu itself. #49045 (Also in 38, 40)Other Changes
v39.2.3: electron v39.2.3Compare Source
Release Notes for v39.2.3
v39.2.2: electron v39.2.2Compare Source
Release Notes for v39.2.2
Fixes
v39.2.1: electron v39.2.1Compare Source
Release Notes for v39.2.1
Fixes
v39.2.0: electron v39.2.0Compare Source
Release Notes for v39.2.0
Features
app.isHardwareAccelerationEnabled(). #48680 (Also in 37, 38)window.setAccentColor(null). #48852 (Also in 38)nativeImage.createFromNamedImageto support SF Symbol names. #48773 (Also in 40)Fixes
Other Changes
v39.1.2: electron v39.1.2Compare Source
Release Notes for v39.1.2
Fixes
Other Changes
Documentation
Unknown
v39.1.1: electron v39.1.1Compare Source
Release Notes for v39.1.1
Fixes
v39.1.0: electron v39.1.0Compare Source
Release Notes for v39.1.0
Fixes
Other Changes
v39.0.0: electron v39.0.0Compare Source
Release Notes for v39.0.0
Stack Upgrades
142.0.7444.5222.20.014.2Breaking Changes
colorSpaceto offscreen shared texture info ofwebContents.on('paint')event.OffscreenSharedTextureto provide a unifiedhandlethat holds the native handle. #47315window.openwhere it should always create a resizable popup window but did not. #47540For breaking changes inherited via Chromium, see blog post
Features
Additions
RGBAF16output format with scRGB HDR color space support to Offscreen Rendering. #48504fileBackedandpurgeablefields toprocess.getSystemMemoryInfo()for macOS. #47628 (Also in 37, 38)guidTrayconstructor option on macOS to allow tray icons to maintain position across launches. #47838 (Also in 36, 37, 38)webFrameMain.fromFrameToken(processId, frameToken)to get aWebFrameMaininstance from its frame token. #47850 (Also in 38)app.getRecentDocuments()on Windows and macOS. #45839 (Also in 36, 37, 38)USBDevice.configurations. #47459systemPreferences.getAccentColor. #48628{get|set}AccentColor. #47741 (Also in 36, 37, 38)DIR_ASSETSinstead ofDIR_MODULE/DIR_EXEto locate assets and resources, and added "assets" as a key that can be queried viaapp.getPath. #47439 (Also in 37, 38)Fixes
systemPreferences.getAccentColorinverted the color. #48624webContents.openDevTools({ mode: 'detach' })would cause a crash on Wayl