{
  "threat_severity" : "Low",
  "public_date" : "2026-04-03T23:35:10Z",
  "bugzilla" : {
    "description" : "Electron: Electron: Unauthorized USB device access via select-usb-device event callback validation bypass",
    "id" : "2454998",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2454998"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-1289",
  "details" : [ "Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.", "A flaw was found in Electron. An attacker could influence an application's handler for the `select-usb-device` event to select a USB device ID outside of the filtered list. This could grant access to a USB device that was not intended by the application's security filters, potentially leading to unintended device interactions. The practical impact is limited to applications with unusual device-selection logic." ],
  "package_state" : [ {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Fix deferred",
    "package_name" : "podman-desktop-macos-1-0",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop",
    "fix_state" : "Fix deferred",
    "package_name" : "podman-desktop-windows-1-0",
    "cpe" : "cpe:/a:redhat:podman_desktop:1"
  }, {
    "product_name" : "Red Hat Build of Podman Desktop - Tech Preview",
    "fix_state" : "Fix deferred",
    "package_name" : "rhdesktop/rh-podman-desktop-ext-openshift-local-rhel10",
    "cpe" : "cpe:/a:redhat:podman_desktop:0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-34766\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-34766\nhttps://github.com/electron/electron/security/advisories/GHSA-9899-m83m-qhpj" ],
  "name" : "CVE-2026-34766",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}