CVE-2026-54257 - Electron Buffer heap under/overflow

CVE-2026-54257 is a critical Electron advisory affecting the published electron npm package. In the affected versions, incorrect byte-length calculations in the Node.js Buffer API can cause crashes and some incorrect buffer allocations, creating heap buffer underflow or overflow behavior in desktop applications that embed the affected runtime.

This is a runtime upgrade problem, not something application code can safely paper over. If a repository packages or distributes Electron desktop builds, the primary remediation is to upgrade Electron and rebuild installers, bundles, and signed artifacts.

When to use it

  • A repository builds, packages, signs, notarizes, or distributes Electron desktop artifacts.
  • The effective electron runtime resolves to 42.3.1 or 42.3.2.
  • CI caches, installer builders, release feeds, or auto-update metadata may continue shipping an old runtime after dependency files change.
  • You need a bounded PR or triage note that upgrades Electron and proves the shipped desktop artifacts were rebuilt.

Inputs

  • Node manifests, lockfiles, workspaces, Electron builder/forge/packager config, CI caches, release workflows, update feeds, SBOMs, and generated reports.
  • Signing, notarization, installer, checksum, and auto-update metadata ownership without exposing credentials.
  • Available install, desktop build, packaging smoke, checksum refresh, SBOM, and dependency/security scan commands.

Affected versions

  • Vulnerable: electron >= 42.3.1, < 42.3.3
  • Fixed: 42.3.3+
  • Workaround: none documented by the vendor

Indicator-of-exposure

  • The repository depends on electron in the affected range.
  • Build, packaging, or release workflows produce desktop binaries from Electron 42.3.1 or 42.3.2.
  • CI caches, installer builders, or update feeds may still redistribute a vulnerable packaged runtime even after package.json changes.

Quick checks:

rg -n "\"electron\"|electron-builder|electron-forge|electron-packager|asar|autoUpdater" .
npm ls electron
pnpm why electron
yarn why electron

Windows:

rg -n "\"electron\"|electron-builder|electron-forge|electron-packager|asar|autoUpdater" .
npm ls electron
pnpm why electron
yarn why electron

Do not attempt to reproduce memory corruption with crafted inputs or custom proofs of concept.

Remediation strategy

  • Upgrade all controlled Electron package references to 42.3.3+ or a newer maintained release on the chosen major line.
  • Refresh lockfiles, CI caches, packaged runtime downloads, notarized bundles, installers, and auto-update feeds.
  • Rebuild and re-sign desktop artifacts so the shipped runtime actually contains the fixed Electron version.
  • Validate that release automation and update channels no longer point to vulnerable builds.

The prompt

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-54257 / GHSA-q6m5-f73j-m9mc, a critical Electron
runtime defect involving incorrect `Buffer` byte-length calculations that can
cause crashes and incorrect heap allocations. Produce exactly one output:

- A reviewer-ready PR/change request that upgrades Electron, refreshes build
  artifacts, and documents operator follow-up, or
- TRIAGE.md if this repository does not control an affected Electron runtime.

## Rules

- Scope only CVE-2026-54257 and directly related Electron package and release
  artifacts.
- Treat signing keys, notarization credentials, release tokens, and packaged
  binaries as sensitive.
- Do not write or run memory-corruption proof-of-concept code.
- Do not auto-merge.

## Steps

1. Inventory every `electron` dependency, lockfile, build image, installer
   workflow, release pipeline, and auto-update channel controlled here.
2. Determine whether any resolved `electron` version is `>= 42.3.1, < 42.3.3`.
3. If no affected runtime is controlled by this repository, stop with
   `TRIAGE.md`.
4. Upgrade Electron to `42.3.3+` or a newer supported release on the chosen
   major line.
5. Refresh lockfiles, caches, packaged runtime downloads, generated metadata,
   SBOMs, and installer assets.
6. Rebuild and re-sign shipped desktop artifacts, and confirm update feeds no
   longer point to vulnerable packages.
7. Add safe regression checks that assert resolved Electron versions and
   packaged artifact metadata match the fixed release.
8. Add a PR body section named `CVE-2026-54257 operator actions` covering
   versions before and after, which release artifacts were rebuilt, and which
   update channels need rollout coordination.
9. Run relevant validation: package install, desktop build, packaging smoke
   checks, checksum refresh, and dependency/security scans.
10. Use PR title:
    `fix(sec): remediate CVE-2026-54257 in Electron runtime`.

## Stop conditions

- No affected Electron runtime or packaged artifact is controlled here.
- Rebuilding requires external signing infrastructure not available in the
  repository; document the owner and required follow-up.
- Validation would require exploit-style memory corruption testing.

Verification - what the reviewer looks for

  • No controlled lockfile or release workflow resolves electron 42.3.1 or 42.3.2.
  • Packaged artifacts and update metadata were rebuilt against a fixed runtime.
  • CI caches and release automation no longer reintroduce the old runtime.

Output contract

  • Reviewer-ready PR upgrading Electron to 42.3.3+ or a newer supported release and refreshing lockfiles, caches, SBOMs, and release metadata.
  • Evidence that installers, signed bundles, update feeds, checksums, and packaged runtime metadata point at the fixed Electron version.
  • Operator notes for signing/notarization owners, rollout coordination, and artifact rebuild status.
  • TRIAGE.md when rebuilding or signing fixed artifacts requires external release infrastructure.

Watch for

  • Upgrading manifests but leaving old installers or update payloads published.
  • Forgetting to invalidate cached downloaded Electron zips in CI.
  • Re-signing gaps that leave fixed builds blocked from shipping.

References