CVE-2026-54257
Deferred Deferred - Pending Action

Electron Framework Heap Buffer Overflow in Node.js Buffer API

Vulnerability report for CVE-2026-54257, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-23

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 42.3.1 until 42.3.3, Buffer performs incorrect byte length calculations resulting in heap buffer under/overflow. Most apps will crash and some may perform incorrect buffer allocations in the Node.js Buffer API resulting in unexpected truncation or allocation. This vulnerability is fixed in 42.3.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-23
Last Modified
2026-06-25
Generated
2026-07-14
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
electron electron From 42.3.1 (inc) to 42.3.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-54257 is a vulnerability in the Electron framework affecting versions 42.3.1 and 42.3.2. It involves incorrect byte length calculations in the Buffer API, which leads to heap buffer underflows or overflows. This means that the memory allocated for buffers can be either too small or too large, causing most applications using these versions to crash or behave unexpectedly due to improper memory handling.

Specifically, the issue causes unexpected truncation or incorrect buffer allocations in the Node.js Buffer API, which can result in application instability or crashes. The vulnerability was fixed in Electron version 42.3.3.

Impact Analysis

This vulnerability can cause most applications built on the affected Electron versions to crash due to incorrect memory allocation in buffers. Additionally, some applications may experience unexpected truncation or improper buffer allocations, potentially leading to unstable behavior or data corruption.

Detection Guidance

There are no specific detection commands or network/system detection methods provided for this vulnerability.

The vulnerability affects Electron versions 42.3.1 and 42.3.2, causing most applications to crash due to incorrect byte length calculations in the Buffer API.

Detection would primarily involve identifying if your applications are running these vulnerable Electron versions.

Mitigation Strategies

The immediate mitigation step is to upgrade Electron to version 42.3.3 or later, where this vulnerability has been fixed.

There are no available workarounds for this issue, so updating the Electron framework is essential to prevent crashes and potential buffer allocation issues.

Compliance Impact

The provided information does not specify how the vulnerability in Electron's Buffer API affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54257. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart