Electron Out-of-Bounds Heap Read Vulnerability in IPC Second-Instance Handling on macOS and Linux
Vulnerability
A vulnerability allowing an out-of-bounds heap read has been identified in Electron applications on macOS and Linux. This issue affects apps that call 'app.requestSingleInstanceLock()' and involves parsing a crafted second-instance message, which can lead to memory leakage that is delivered to the app's second-instance event handler. The vulnerability is confined to processes running under the same user as the Electron app. Notably, Windows applications are not impacted. The vulnerability exists in Electron versions prior to 38.8.6, versions 39.0.0-alpha.1 through 39.8.0, versions 40.0.0-alpha.1 through 40.8.0, and versions 41.0.0-alpha.1 through 41.0.0.
Impact
Exploitation of this vulnerability could result in an out-of-bounds heap read, allowing for memory leakage that could be manipulated in the app's second-instance event handler.
Remediation
Users must update to Electron versions 38.8.6, 39.8.1, 40.8.1, or 41.0.0.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.