Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
Published: 2026-04-07
Score: 2.8 Low
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

Electron versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5 can crash when an application calls clipboard.readImage() with malformed image data from the system clipboard. The null bitmap that results from decoding failure is passed unchecked to image construction, triggering a controlled abort that terminates the Electron process. The crash provides a denial of service for the affected application but does not allow memory corruption or arbitrary code execution.

Affected Systems

The vulnerability affects the Electron framework for desktop applications. All Electron releases older than 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5 are impacted, but only applications that invoke clipboard.readImage() are at risk.

Risk and Exploitability

With a CVSS score of 2.8 the severity is low, and no EPSS data or KEV listing is available. The likely attack vector is local: an attacker can place specially crafted image data on the clipboard through user interaction or malicious input to cause a crash. Exploitation requires the application to read the clipboard image; otherwise the issue is irrelevant.

Generated by OpenCVE AI on April 8, 2026 at 13:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Electron to a patched release (39.8.5, 40.8.5, 41.1.0, or 42.0.0-alpha.5 or later).
  • Rebuild or redeploy your application against the updated Electron framework.
  • If upgrading immediately is not possible, avoid calling clipboard.readImage() or validate clipboard contents before use as a temporary workaround.
  • Verify that the application no longer crashes after the upgrade or implementation of the workaround.

Generated by OpenCVE AI on April 8, 2026 at 13:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f37v-82c4-4x64 Electron: Crash in clipboard.readImage() on malformed clipboard image data
History

Thu, 16 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.2.0:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:42.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:42.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:42.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:42.0.0:alpha4:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Vendors & Products Electron
Electron electron

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1287
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
Title Electron crashes in clipboard.readImage() on malformed clipboard image data
Weaknesses CWE-476
References
Metrics cvssV3_1

{'score': 2.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T16:14:38.564Z

Reserved: 2026-03-30T19:54:55.556Z

Link: CVE-2026-34781

cve-icon Vulnrichment

Updated: 2026-04-08T16:10:16.507Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T22:16:23.123

Modified: 2026-04-16T19:34:03.983

Link: CVE-2026-34781

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T21:20:12Z

Links: CVE-2026-34781 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:33Z

Weaknesses