Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption. Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.
Published: 2026-04-03
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Corruption
Action: Patch Immediately
AI Analysis

Impact

A use‑after‑free occurs when an Electron application that supports downloads programmatically destroys a session while a native file‑save dialog is open. Dismissing the dialog after the session has been torn down dereferences already freed memory, which may cause the application to crash or corrupt memory. If the corrupted memory is exploitable, an attacker could potentially achieve remote code execution. Based on the description, the vulnerable condition requires the attacker to have influence over the application’s session life cycle and trigger a download save dialog.

Affected Systems

The Electron framework, versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0‑beta.8 are patched for this issue. Applications built with earlier releases of Electron and that allow downloads and session destruction at runtime are affected. Applications that do not allow downloads or do not destroy sessions at runtime are not impacted.

Risk and Exploitability

The CVSS score of 5.8 indicates a medium severity as the vulnerability could lead to denial of service or memory corruption but does not guarantee remote code execution. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is most likely local, requiring the attacker to control the application or influence user actions. Overall, the risk is moderate, mitigated further by the low exploitation probability.

Generated by OpenCVE AI on April 7, 2026 at 01:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Electron to version 38.8.6, 39.8.0, 40.7.0, 41.0.0‑beta.8 or newer.

Generated by OpenCVE AI on April 7, 2026 at 01:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9w97-2464-8783 Electron: Use-after-free in download save dialog callback
History

Wed, 22 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Weaknesses CWE-825
Vendors & Products Electron
Electron electron
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption. Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.
Title Electron: Use-after-free in download save dialog callback
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:27:44.773Z

Reserved: 2026-03-30T19:54:55.555Z

Link: CVE-2026-34772

cve-icon Vulnrichment

Updated: 2026-04-06T15:27:35.499Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T00:16:18.133

Modified: 2026-04-22T15:10:25.353

Link: CVE-2026-34772

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-03T23:49:20Z

Links: CVE-2026-34772 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:16:26Z

Weaknesses