CVE-2026-34781
LOW2.8EPSS 0.01%Electron: Crash in clipboard.readImage() on malformed clipboard image data
Description
### Impact Apps that call `clipboard.readImage()` may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call `clipboard.readImage()`. Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. ### Workarounds Validate that the clipboard contains image data via `clipboard.availableFormats()` before calling `clipboard.readImage()`. Note this only narrows the window — upgrading to a fixed version is recommended. ### Fixed Versions * `42.0.0-alpha.5` * `41.1.0` * `40.8.5` * `39.8.5` ### For more information If you have any questions or comments about this advisory, email us at [[email protected]](mailto:[email protected])
Affected packages (1)
- npm/electronfrom 0, < 39.8.5
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW2.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-34781
- PATCHhttps://github.com/electron/electron
- WEBhttps://github.com/electron/electron/commit/a48f03fb8d03933547281ddb2dbb6c6b9e705287
- WEBhttps://github.com/electron/electron/pull/50475
- WEBhttps://github.com/electron/electron/releases/tag/v39.8.5
- WEBhttps://github.com/electron/electron/releases/tag/v40.8.5
- WEBhttps://github.com/electron/electron/releases/tag/v41.1.0
- WEBhttps://github.com/electron/electron/releases/tag/v42.0.0-alpha.5
- WEBhttps://github.com/electron/electron/security/advisories/GHSA-f37v-82c4-4x64