CVE-2026-34781

Description

### Impact Apps that call `clipboard.readImage()` may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call `clipboard.readImage()`. Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. ### Workarounds Validate that the clipboard contains image data via `clipboard.availableFormats()` before calling `clipboard.readImage()`. Note this only narrows the window — upgrading to a fixed version is recommended. ### Fixed Versions * `42.0.0-alpha.5` * `41.1.0` * `40.8.5` * `39.8.5` ### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)

How to fix CVE-2026-34781

To remediate CVE-2026-34781, upgrade the affected package to a fixed version below.

• —upgrade to 39.8.5 or later

Is CVE-2026-34781 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 39.8.5

CVSS scores

References (9)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-34781
• PATCHgithub.com/electron/electron
• WEBgithub.com/electron/electron/commit/a48f03fb8d03933547281ddb2dbb6c6b9e705287
• WEBgithub.com/electron/electron/pull/50475
• WEB