Strix
26.1K

CVE-2026-34781

LOWCVSS 3.3/10EPSS 0.14%

Last modified

CVE-2026-34781 is a low-severity vulnerability rated 3.3/10 on the CVSS scale. Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. EPSS estimates a 0.14% chance of exploitation in the next 30 days.

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.

Metrics

CVSS 3.1
3.3/10

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

EPSS Probability
0.14%

4.0th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
ElectronjsElectron<= 39.8.4
ElectronjsElectron>= 40.0.0, <= 40.8.4
ElectronjsElectron>= 41.0.0, < 41.1.0
ElectronjsElectron41.2.0
ElectronjsElectron42.0.0Alpha1

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2026-34781?
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
How severe is CVE-2026-34781?
CVE-2026-34781 has a CVSS score of 3.3/10 (LOW severity). The EPSS model estimates a 0.14% probability of exploitation in the next 30 days.
How do I fix CVE-2026-34781?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-34781?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST