GHSA-f37v-82c4-4x64
Electron: Crash in clipboard.readImage() on malformed clipboard image data
Details
### Impact Apps that call `clipboard.readImage()` may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process.
Apps are only affected if they call `clipboard.readImage()`. Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution.
### Workarounds Validate that the clipboard contains image data via `clipboard.availableFormats()` before calling `clipboard.readImage()`. Note this only narrows the window — upgrading to a fixed version is recommended.
### Fixed Versions * `42.0.0-alpha.5` * `41.1.0` * `40.8.5` * `39.8.5`
### For more information If you have any questions or comments about this advisory, email us at [security@electronjs.org](mailto:security@electronjs.org)
Are you affected?
Enter the version of the package you're using.
Affected packages
42.0.0-alpha.1 Fixed in: 42.0.0-alpha.5 npm install electron@42.0.0-alpha.5 References
- https://github.com/electron/electron/security/advisories/GHSA-f37v-82c4-4x64 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-34781 [ADVISORY]
- https://github.com/electron/electron/pull/50475 [WEB]
- https://github.com/electron/electron/commit/a48f03fb8d03933547281ddb2dbb6c6b9e705287 [WEB]
- https://github.com/electron/electron [PACKAGE]
- https://github.com/electron/electron/releases/tag/v39.8.5 [WEB]
- https://github.com/electron/electron/releases/tag/v40.8.5 [WEB]
- https://github.com/electron/electron/releases/tag/v41.1.0 [WEB]
- https://github.com/electron/electron/releases/tag/v42.0.0-alpha.5 [WEB]