GHSA-3c8v-cfp5-9885 — medium GitHub Advisory (CVE-2026-34776) in npm/electron

Description

Impact

On macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler.

This issue is limited to processes running as the same user as the Electron app.

Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue.

Workarounds

There are no app side workarounds, developers must update to a patched version of Electron.

Fixed Versions

41.0.0
40.8.1
39.8.1
38.8.6

For more information

If there are any questions or comments about this advisory, please email [email protected]

Basic information

Type: reviewed
Severity: medium
Advisory on GitHub: Open advisory ↗
Repository advisory: Open repository advisory ↗
Source code: Browse source ↗
Published (advisory): 2026-04-03 02:43:59 UTC
Updated: 2026-04-06 23:11:06 UTC
GitHub reviewed: 2026-04-03 02:43:59 UTC
NVD published: 2026-04-04 00:16:18 UTC

Score	Percentile
0.01%	2.92%

CVSS Scores

Base score	Version	Severity	Vector
5.3	3.1	—	`CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:L` Click to expand Attack vector (AV:L) They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by. Attack complexity (AC:H) Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work. Privileges required (PR:L) A normal user session is enough; they don’t have to be admin. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:N) Data isn’t meaningfully altered or forged. Availability (A:L) Might cause slowdowns, glitches, or partial disruption—not a full brick.

Identifiers

Type	Value
GHSA	GHSA-3c8v-cfp5-9885 ↗
CVE	CVE-2026-34776 ↗

CWEs

CWE id	Name
CWE-125	Out-of-bounds Read

Affected packages (4)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem	Package	Vulnerable range	First patched	Vulnerable functions
npm	electron	< 38.8.6	38.8.6	—
npm	electron	>= 39.0.0-alpha.1, < 39.8.1	39.8.1	—
npm	electron	>= 40.0.0-alpha.1, < 40.8.1	40.8.1	—
npm	electron	>= 41.0.0-alpha.1, < 41.0.0	41.0.0	—

Electron: Out-of-bounds read in second-instance IPC on macOS and Linux