Executive Summary

CVE-2026-34773 is a moderate severity vulnerability in the Electron framework on Windows platforms, specifically in the function app.setAsDefaultProtocolClient(protocol).

The vulnerability occurs because this function does not validate the protocol name before writing it to the Windows registry under HKCU\Software\Classes\.

If an application passes untrusted or externally derived input as the protocol name, an attacker can exploit this to write to arbitrary subkeys in the registry, potentially hijacking existing protocol handlers.

This issue affects Electron versions prior to 38.8.6, 39.8.1, 40.8.1, and 41.0.0, and has been patched in those versions.

The root cause is improper input validation and improper neutralization of special elements in output used by a downstream component, meaning the protocol input is not properly sanitized before use.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to write to arbitrary registry subkeys under HKCU\Software\Classes\ if the application passes untrusted input as the protocol name.

By doing so, an attacker may hijack existing protocol handlers, which compromises the integrity of the system.

The attack requires local access with low privileges and has high attack complexity, but no user interaction is needed.

There is no impact on confidentiality or availability, but the integrity of the system can be significantly affected.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability arises when an Electron application on Windows calls app.setAsDefaultProtocolClient() with a protocol name derived from untrusted input, leading to arbitrary registry writes under HKCU\Software\Classes\.

To detect if your system or application is vulnerable, you should check the Electron version in use and whether the application calls app.setAsDefaultProtocolClient() with externally derived protocol names.

You can verify the Electron version by running commands like:

• For packaged Electron apps, check the version in the app's package.json or by running `electron --version` if accessible.
• On Windows, inspect the registry keys under HKCU\Software\Classes\ for unexpected or suspicious protocol handlers that may have been created or hijacked.

For example, to list protocol handlers in the registry, you can use PowerShell commands such as:

• Get-ChildItem -Path HKCU:\Software\Classes\ | Where-Object { $_.PSChildName -match '^[a-zA-Z][a-zA-Z0-9+.-]*$' -eq $false }

However, there are no specific commands provided to detect the vulnerability directly; detection mainly involves verifying Electron versions and inspecting registry entries for suspicious protocol registrations.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, the primary step is to upgrade Electron to a patched version.

• Upgrade to Electron versions 38.8.6, 39.8.1, 40.8.1, or 41.0.0 or later, where the vulnerability has been fixed.

If upgrading immediately is not possible, developers should ensure that any protocol name passed to app.setAsDefaultProtocolClient() is validated against the regular expression /^[a-zA-Z][a-zA-Z0-9+.-]*$/ to allow only valid protocol names.

• Implement input validation to reject or sanitize untrusted or externally derived protocol names before calling app.setAsDefaultProtocolClient().

Additionally, review and monitor registry keys under HKCU\Software\Classes\ for unauthorized changes to protocol handlers.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker to write to arbitrary registry subkeys, potentially hijacking existing protocol handlers and compromising system integrity.

While the vulnerability impacts integrity, it does not affect confidentiality or availability directly.

There is no explicit information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0