DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-43944: CVE-2026-43944: Arbitrary Local Code Execution in electerm via Malicious Deep Links

#security #cve #cybersecurity

CVE-2026-43944: Arbitrary Local Code Execution in electerm via Malicious Deep Links

Vulnerability ID: CVE-2026-43944
CVSS Score: 9.4
Published: 2026-05-08

CVE-2026-43944 is a critical vulnerability in the electerm client that allows for arbitrary local code execution. The application insecurely parses deep link arguments and merges untrusted JSON directly into the core session configuration. This enables attackers to override internal state variables, hijacking the application's execution flow to spawn malicious local binaries.

TL;DR

A critical flaw in electerm (< 3.8.15) allows attackers to execute arbitrary local binaries via crafted electerm:// URIs or CLI flags. The application insecurely merges user-provided JSON payloads into the main session configuration, enabling protocol and executable hijacking.

⚠️ Exploit Status: POC

Technical Details

  • CVSS v4.0: 9.4 (Critical)
  • EPSS Score: 0.00144 (0.14%)
  • CWE IDs: CWE-20, CWE-94, CWE-829
  • Attack Vector: Network (via URI handler)
  • Exploit Status: Proof of Concept (PoC)
  • Privileges Required: None
  • User Interaction: Required

Affected Systems

  • electerm 3.0.6 - 3.8.14
  • electerm: >= 3.0.6, < 3.8.15 (Fixed in: 3.8.15)

Code Analysis

Commit: 8a6a179

Implemented OPTS_DENY_LIST to prevent overriding 'type' and 'host' via deep links.

Commit: a79e06f

Added check to reject execution paths containing '..' sequence.

Mitigation Strategies

  • Upgrade electerm to version 3.8.15 or later.
  • Unregister the electerm:// protocol handler in the operating system registry or application settings.
  • Implement Endpoint Detection and Response (EDR) rules to monitor electerm child process creation.
  • Conduct user training to prevent interaction with untrusted deep links.

Remediation Steps:

  1. Identify all hosts running electerm versions between 3.0.6 and 3.8.14.
  2. Deploy the 3.8.15 update package via centralized endpoint management tools.
  3. Verify the update installation by checking the application version string.
  4. If patching is delayed, execute scripts to remove the electerm:// URI handler association on affected systems.

References

Read the full report for CVE-2026-43944 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)