Electron: Use-after-free in PowerMonitor on Windows and macOS
Package
Affected versions
< 38.8.6
>= 39.0.0-alpha.1, < 39.8.1
>= 40.0.0-alpha.1, < 40.8.0
>= 41.0.0-alpha.1, < 41.0.0-beta.8
Patched versions
38.8.6
39.8.1
40.8.0
41.0.0-beta.8
Description
Published to the GitHub Advisory Database
Apr 3, 2026
Reviewed
Apr 3, 2026
Published by the National Vulnerability Database
Apr 4, 2026
Last updated
Apr 6, 2026
Impact
Apps that use the
powerMonitormodule may be vulnerable to a use-after-free. After the nativePowerMonitorobject is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption.All apps that access
powerMonitorevents (suspend,resume,lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable.Workarounds
There are no app side workarounds, you must update to a patched version of Electron.
Fixed Versions
41.0.0-beta.840.8.039.8.138.8.6For more information
If there are any questions or comments about this advisory, please email security@electronjs.org
References