Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption. All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
Published: 2026-04-03
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Immediate Patch
AI Analysis

Impact

Electron applications that register for powerMonitor events are vulnerable to a use-after-free flaw (CWE‑416). The bug occurs when the native PowerMonitor object is garbage‑collected while the OS‑level resources it created—such as a Windows message window or a macOS shutdown handler—retain dangling references. A subsequent session‑change event on Windows or system shutdown on macOS dereferences freed memory, potentially causing a crash or memory corruption.

Affected Systems

The vulnerability affects Electron releases prior to 38.8.6, 39.8.1, 40.8.0, and 41.0.0‑beta.8. All desktop applications built with the Electron framework that consume powerMonitor events—suspend, resume, lock‑screen, etc.—are potentially impacted. The defect resides in Electron’s core and is present on both Windows and macOS platforms.

Risk and Exploitability

The CVSS score of 7.0 indicates high severity. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, implying no publicly documented exploits. Based on the description, it is inferred that the likely attack vector involves triggering a system session‑change event or a shutdown, which typically would require local or privileged access. Therefore, while the impact of a crash or memory corruption could be significant, the likelihood of exploitation is limited to environments where an attacker can manipulate these OS‑level events.

Generated by OpenCVE AI on April 4, 2026 at 03:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Electron to version 38.8.6, 39.8.1, 40.8.0, 41.0.0‑beta.8, or any later release that contains the patch.
  • Verify that powerMonitor events continue to function correctly after the upgrade to confirm the fix.
  • If an upgrade is not immediately possible, avoid using the powerMonitor module or ensure that all listeners are removed before the application terminates to prevent dangling references.
  • Continuously monitor Electron security advisories for updates or additional guidance.

Generated by OpenCVE AI on April 4, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jjp3-mq3x-295m Electron: Use-after-free in PowerMonitor on Windows and macOS
History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Vendors & Products Electron
Electron electron

Mon, 06 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption. All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
Title Electron: Use-after-free in PowerMonitor on Windows and macOS
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T03:55:36.380Z

Reserved: 2026-03-30T19:54:55.555Z

Link: CVE-2026-34770

cve-icon Vulnrichment

Updated: 2026-04-06T19:10:11.362Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T00:16:17.823

Modified: 2026-04-22T15:10:05.463

Link: CVE-2026-34770

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T22:21:18Z

Weaknesses