CVE-2026-34773
Registry Write Vulnerability in Electron app.setAsDefaultProtocolClient on Windows
Publication date: 2026-04-04
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | 41.0.0 |
| electronjs | electron | to 38.8.6 (exc) |
| electronjs | electron | From 39.0.0 (inc) to 39.8.1 (exc) |
| electronjs | electron | From 40.0.0 (inc) to 40.8.1 (exc) |
| electronjs | electron | 41.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34773 is a moderate severity vulnerability in the Electron framework on Windows platforms, specifically in the function app.setAsDefaultProtocolClient(protocol).
The vulnerability occurs because this function does not validate the protocol name before writing it to the Windows registry under HKCU\Software\Classes\.
If an application passes untrusted or externally derived input as the protocol name, an attacker can exploit this to write to arbitrary subkeys in the registry, potentially hijacking existing protocol handlers.
This issue affects Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0, and has been patched in those versions.
The root cause is improper input validation and improper neutralization of special elements in output used by a downstream component, meaning the protocol input is not properly sanitized before use.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to write to arbitrary registry subkeys under HKCU\Software\Classes\ if the application passes untrusted input as the protocol name.
By doing so, an attacker may hijack existing protocol handlers, which compromises the integrity of the system.
The attack requires local access with low privileges and has high attack complexity, but no user interaction is needed.
There is no impact on confidentiality or availability, but the integrity of the system can be significantly affected.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises when an Electron application on Windows calls app.setAsDefaultProtocolClient() with a protocol name derived from untrusted input, leading to arbitrary registry writes under HKCU\Software\Classes\.
To detect if your system or application is vulnerable, you should check the Electron version in use and whether the application calls app.setAsDefaultProtocolClient() with externally derived protocol names.
You can verify the Electron version by running commands like:
- For packaged Electron apps, check the version in the app's package.json or by running `electron --version` if accessible.
- On Windows, inspect the registry keys under HKCU\Software\Classes\ for unexpected or suspicious protocol handlers that may have been created or hijacked.
For example, to list protocol handlers in the registry, you can use PowerShell commands such as:
- Get-ChildItem -Path HKCU:\Software\Classes\ | Where-Object { $_.PSChildName -match '^[a-zA-Z][a-zA-Z0-9+.-]*$' -eq $false }
However, there are no specific commands provided to detect the vulnerability directly; detection mainly involves verifying Electron versions and inspecting registry entries for suspicious protocol registrations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the primary step is to upgrade Electron to a patched version.
- Upgrade to Electron versions 38.8.6, 39.8.1, 40.8.1, or 41.0.0 or later, where the vulnerability has been fixed.
If upgrading immediately is not possible, developers should ensure that any protocol name passed to app.setAsDefaultProtocolClient() is validated against the regular expression /^[a-zA-Z][a-zA-Z0-9+.-]*$/ to allow only valid protocol names.
- Implement input validation to reject or sanitize untrusted or externally derived protocol names before calling app.setAsDefaultProtocolClient().
Additionally, review and monitor registry keys under HKCU\Software\Classes\ for unauthorized changes to protocol handlers.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to write to arbitrary registry subkeys, potentially hijacking existing protocol handlers and compromising system integrity.
While the vulnerability impacts integrity, it does not affect confidentiality or availability directly.
There is no explicit information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.