Bug 2455024 (CVE-2026-34778)

Summary: CVE-2026-34778 Electron: Electron: Integrity issue due to IPC channel spoofing by a service worker
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Electron, a framework for building desktop applications. A service worker running in a session could spoof reply messages on the internal Inter-Process Communication (IPC) channel. This vulnerability affects applications that have service workers registered and use the results of `webContents.executeJavaScript()` in security-sensitive decisions. An attacker could exploit this to cause the main-process promise to resolve with attacker-controlled data, potentially leading to integrity issues.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2455437, 2455438    
Bug Blocks:    

Description OSIDB Bzimport 2026-04-04 01:01:29 UTC
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.