Bug 2455025 (CVE-2026-34773)
| Summary: | CVE-2026-34773 electron: Electron: Protocol handler hijacking via improper validation of protocol names | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in Electron, a framework for building desktop applications. On Windows, the `app.setAsDefaultProtocolClient()` function did not properly validate protocol names before writing to the system registry. This vulnerability could allow a local attacker, through an application that processes untrusted input, to write to arbitrary registry subkeys. Consequently, an attacker might be able to hijack existing protocol handlers, leading to unintended program execution or other system modifications.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-04-04 01:01:32 UTC
|