CVE-2026-54257 - Electron Buffer heap under/overflow
CVE-2026-54257 is a critical Electron advisory affecting the published
electron npm package. In the affected versions, incorrect byte-length
calculations in the Node.js Buffer API can cause crashes and some incorrect
buffer allocations, creating heap buffer underflow or overflow behavior in
desktop applications that embed the affected runtime.
This is a runtime upgrade problem, not something application code can safely paper over. If a repository packages or distributes Electron desktop builds, the primary remediation is to upgrade Electron and rebuild installers, bundles, and signed artifacts.
When to use it
- A repository builds, packages, signs, notarizes, or distributes Electron desktop artifacts.
- The effective
electronruntime resolves to42.3.1or42.3.2. - CI caches, installer builders, release feeds, or auto-update metadata may continue shipping an old runtime after dependency files change.
- You need a bounded PR or triage note that upgrades Electron and proves the shipped desktop artifacts were rebuilt.
Inputs
- Node manifests, lockfiles, workspaces, Electron builder/forge/packager config, CI caches, release workflows, update feeds, SBOMs, and generated reports.
- Signing, notarization, installer, checksum, and auto-update metadata ownership without exposing credentials.
- Available install, desktop build, packaging smoke, checksum refresh, SBOM, and dependency/security scan commands.
Affected versions
- Vulnerable:
electron >= 42.3.1, < 42.3.3 - Fixed:
42.3.3+ - Workaround: none documented by the vendor
Indicator-of-exposure
- The repository depends on
electronin the affected range. - Build, packaging, or release workflows produce desktop binaries from
Electron
42.3.1or42.3.2. - CI caches, installer builders, or update feeds may still redistribute a
vulnerable packaged runtime even after
package.jsonchanges.
Quick checks:
rg -n "\"electron\"|electron-builder|electron-forge|electron-packager|asar|autoUpdater" .
npm ls electron
pnpm why electron
yarn why electron
Windows:
rg -n "\"electron\"|electron-builder|electron-forge|electron-packager|asar|autoUpdater" .
npm ls electron
pnpm why electron
yarn why electron
Do not attempt to reproduce memory corruption with crafted inputs or custom proofs of concept.
Remediation strategy
- Upgrade all controlled Electron package references to
42.3.3+or a newer maintained release on the chosen major line. - Refresh lockfiles, CI caches, packaged runtime downloads, notarized bundles, installers, and auto-update feeds.
- Rebuild and re-sign desktop artifacts so the shipped runtime actually contains the fixed Electron version.
- Validate that release automation and update channels no longer point to vulnerable builds.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-54257 / GHSA-q6m5-f73j-m9mc, a critical Electron
runtime defect involving incorrect `Buffer` byte-length calculations that can
cause crashes and incorrect heap allocations. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades Electron, refreshes build
artifacts, and documents operator follow-up, or
- TRIAGE.md if this repository does not control an affected Electron runtime.
## Rules
- Scope only CVE-2026-54257 and directly related Electron package and release
artifacts.
- Treat signing keys, notarization credentials, release tokens, and packaged
binaries as sensitive.
- Do not write or run memory-corruption proof-of-concept code.
- Do not auto-merge.
## Steps
1. Inventory every `electron` dependency, lockfile, build image, installer
workflow, release pipeline, and auto-update channel controlled here.
2. Determine whether any resolved `electron` version is `>= 42.3.1, < 42.3.3`.
3. If no affected runtime is controlled by this repository, stop with
`TRIAGE.md`.
4. Upgrade Electron to `42.3.3+` or a newer supported release on the chosen
major line.
5. Refresh lockfiles, caches, packaged runtime downloads, generated metadata,
SBOMs, and installer assets.
6. Rebuild and re-sign shipped desktop artifacts, and confirm update feeds no
longer point to vulnerable packages.
7. Add safe regression checks that assert resolved Electron versions and
packaged artifact metadata match the fixed release.
8. Add a PR body section named `CVE-2026-54257 operator actions` covering
versions before and after, which release artifacts were rebuilt, and which
update channels need rollout coordination.
9. Run relevant validation: package install, desktop build, packaging smoke
checks, checksum refresh, and dependency/security scans.
10. Use PR title:
`fix(sec): remediate CVE-2026-54257 in Electron runtime`.
## Stop conditions
- No affected Electron runtime or packaged artifact is controlled here.
- Rebuilding requires external signing infrastructure not available in the
repository; document the owner and required follow-up.
- Validation would require exploit-style memory corruption testing.
Verification - what the reviewer looks for
- No controlled lockfile or release workflow resolves
electron 42.3.1or42.3.2. - Packaged artifacts and update metadata were rebuilt against a fixed runtime.
- CI caches and release automation no longer reintroduce the old runtime.
Output contract
- Reviewer-ready PR upgrading Electron to
42.3.3+or a newer supported release and refreshing lockfiles, caches, SBOMs, and release metadata. - Evidence that installers, signed bundles, update feeds, checksums, and packaged runtime metadata point at the fixed Electron version.
- Operator notes for signing/notarization owners, rollout coordination, and artifact rebuild status.
TRIAGE.mdwhen rebuilding or signing fixed artifacts requires external release infrastructure.
Watch for
- Upgrading manifests but leaving old installers or update payloads published.
- Forgetting to invalidate cached downloaded Electron zips in CI.
- Re-signing gaps that leave fixed builds blocked from shipping.
Related recipes
- CVE-2026-48069 grpc-js compressed message crash
- Source code supply-chain build integrity audit
- CVE intelligence intake gate
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-q6m5-f73j-m9mc
- Electron releases: https://releases.electronjs.org/release
- CVE record: https://www.cve.org/CVERecord?id=CVE-2026-54257