Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 42.3.1 until 42.3.3, Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow. Most apps will crash and some may perform incorrect buffer allocations in the Node.js Buffer API resulting in unexpected truncation or allocation. This vulnerability is fixed in 42.3.3.
Published: 2026-06-23
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Electron 42.3.1 through 42.3.3 contains a flaw in the Buffer implementation that miscalculates byte length, leading to heap buffer under‑ or overflow when Node.js Buffer APIs are invoked. The result is either an application crash or an unexpected truncation or allocation of memory, which in turn causes memory corruption.

Affected Systems

The Electron framework, versions 42.3.1 to 42.3.3, is vulnerable. Applications built with these releases should verify the Electron version and any dependent packages that target the affected range.

Risk and Exploitability

The CVSS score of 9.3 indicates severe risk. The EPSS score of less than 1 % suggests a very low but non‑zero likelihood of exploitation, and the vulnerability is not listed in KEV. However, risk remains substantial because Electron runs locally on user machines. The vulnerability was fixed in 42.3.3. Based on the description, the likely attack vector is local, arising from code that creates or manipulates Node.js Buffers within the Electron application.

Generated by OpenCVE AI on July 4, 2026 at 08:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Electron to version 42.3.3 or later to apply the corrected buffer handling logic that resolves the improper length calculation flaws identified as CWE‑120 and CWE‑131.
  • Rebuild all Electron‑based applications and any third‑party modules that depend on Electron so that the patched runtime is bundled with the app.
  • Review application code that creates or manipulates Node.js Buffers, ensuring that lengths are validated and that writes use safe APIs; avoid using Buffer.allocUnsafe() or similar unsafe constructors when data is derived from untrusted input.

Generated by OpenCVE AI on July 4, 2026 at 08:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q6m5-f73j-m9mc Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow
History

Thu, 02 Jul 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-131
References
Metrics threat_severity

None

cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H'}

threat_severity

Important


Tue, 23 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Vendors & Products Electron
Electron electron

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 42.3.1 until 42.3.3, Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow. Most apps will crash and some may perform incorrect buffer allocations in the Node.js Buffer API resulting in unexpected truncation or allocation. This vulnerability is fixed in 42.3.3.
Title Electron: Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow
Weaknesses CWE-120
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Electron Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T17:47:47.594Z

Reserved: 2026-06-12T17:13:32.278Z

Link: CVE-2026-54257

cve-icon Vulnrichment

Updated: 2026-06-23T17:47:41.615Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-23T17:08:31Z

Links: CVE-2026-54257 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-04T08:30:04Z

Weaknesses
  • CWE-120

    Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • CWE-131

    Incorrect Calculation of Buffer Size