CVE-2026-34781
Denial of Service in Electron clipboard.readImage() Handling
Publication date: 2026-04-07
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| electronjs | electron | 41.2.0 |
| electronjs | electron | 42.0.0 |
| electronjs | electron | 42.0.0 |
| electronjs | electron | 42.0.0 |
| electronjs | electron | 42.0.0 |
| electronjs | electron | to 39.8.4 (inc) |
| electronjs | electron | From 40.0.0 (inc) to 40.8.4 (inc) |
| electronjs | electron | From 41.0.0 (inc) to 41.1.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Electron framework, which is used to build cross-platform desktop applications with JavaScript, HTML, and CSS. Specifically, apps that call the clipboard.readImage() function may be vulnerable to a denial of service. If the system clipboard contains image data that cannot be decoded properly, it results in a null bitmap being passed unchecked to image construction. This causes the application process to abort and crash. Only apps that use clipboard.readImage() are affected, and the issue does not allow for memory corruption or code execution.
How can this vulnerability impact me? :
The impact of this vulnerability is a denial of service, meaning that affected applications can crash unexpectedly when attempting to read certain image data from the clipboard. This can disrupt normal application usage and cause loss of availability. However, it does not lead to memory corruption or allow an attacker to execute arbitrary code.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Electron applications that call the clipboard.readImage() function. Detection involves identifying if any running Electron apps on your system use this function.
Since the issue triggers a crash when the clipboard contains undecodable image data, monitoring for unexpected crashes or aborts in Electron-based applications may indicate the presence of this vulnerability.
There are no specific commands provided to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Electron to one of the fixed versions: 39.8.5, 40.8.5, 41.1.0, or 42.0.0-alpha.5.
If updating is not immediately possible, avoid using or calling the clipboard.readImage() function in your Electron applications, as apps that do not call this function are not affected.
Monitoring and handling clipboard image data carefully to avoid passing null bitmaps to image construction can also help prevent crashes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a denial of service when an application calls clipboard.readImage() and encounters image data that fails to decode, resulting in a crash. It does not allow memory corruption or code execution.
Since the issue only leads to application crashes and does not involve unauthorized data access, data leakage, or modification, it is unlikely to directly impact compliance with data protection regulations such as GDPR or HIPAA.
However, denial of service conditions could affect availability requirements under some standards, but this specific vulnerability has a low severity score and limited impact.