CVE-2026-34781: Electron: Crash in clipboard.readImage() on malformed clipboard image data
(updated )
Apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process.
Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution.
References
- github.com/advisories/GHSA-f37v-82c4-4x64
- github.com/electron/electron
- github.com/electron/electron/commit/a48f03fb8d03933547281ddb2dbb6c6b9e705287
- github.com/electron/electron/pull/50475
- github.com/electron/electron/releases/tag/v39.8.5
- github.com/electron/electron/releases/tag/v40.8.5
- github.com/electron/electron/releases/tag/v41.1.0
- github.com/electron/electron/releases/tag/v42.0.0-alpha.5
- github.com/electron/electron/security/advisories/GHSA-f37v-82c4-4x64
- nvd.nist.gov/vuln/detail/CVE-2026-34781
Code Behaviors & Features
Detect and mitigate CVE-2026-34781 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →