Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.
Published: 2026-04-03
Score: 3.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized USB device access
Action: Patch
AI Analysis

Impact

Electron’s select-usb-device event callback failed to verify that the selected device ID matched the list of devices presented to the handler, allowing an application to access any USB device that passed the WebUSB blocklist but was not included in the filtered set; this flaw gives the app unauthorized access to USB peripherals but does not enable code execution or broader system compromise.

Affected Systems

All Electron releases prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8 are affected, covering versions 38.8.x before 38.8.6, 39.8.x before 39.8.0, 40.7.x before 40.7.0, and every beta before 41.0.0-beta.8; the vulnerability is confined to the Electron framework and does not impact earlier operating systems.

Risk and Exploitability

The CVSS score of 3.3 indicates low severity, and with an EPSS below one percent the likelihood of exploitation is very low; it is not listed in the CISA KEV catalog, and because the flaw requires manipulation of the application’s own USB selection logic it is not remotely exploitable from outside the app, limiting the risk to software that improperly handles device selection.

Generated by OpenCVE AI on April 9, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a patched version of Electron (38.8.6, 39.8.0, 40.7.0, or 41.0.0-beta.8 or newer).
  • If upgrading is not possible, audit the app’s USB device selection logic to ensure only devices from the filtered list are chosen.
  • Apply OS‑level USB access controls or sandboxing to restrict available peripherals.

Generated by OpenCVE AI on April 9, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9899-m83m-qhpj Electron: USB device selection not validated against filtered device list
History

Thu, 09 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Weaknesses CWE-1289
Vendors & Products Electron
Electron electron
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.
Title Electron: USB device selection not validated against filtered device list
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T19:07:15.349Z

Reserved: 2026-03-30T19:54:55.554Z

Link: CVE-2026-34766

cve-icon Vulnrichment

Updated: 2026-04-06T19:07:11.210Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T00:16:17.140

Modified: 2026-04-09T16:23:12.870

Link: CVE-2026-34766

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-03T23:35:10Z

Links: CVE-2026-34766 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:29Z

Weaknesses