How is CVE-2026-45353 exploited?

Network reachability (not-required): The attacker needs an existing shell or process on the host; no network access to the target is required. Authentication (required): Any low-privilege local user account is sufficient; the attacker does not need administrative or root credentials. Victim interaction (not-required): No action from the electerm user or any other person on the system is needed to trigger the vulnerability. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, special memory layouts, or environmental dependencies are involved.

What is the impact of CVE-2026-45353?

Reads all credentials, private keys, and session data stored or actively used by the running electerm instance, including SSH, SFTP, RDP, and VNC connections. Modifies electerm configuration and session state, enabling an attacker to redirect remote connections or inject commands into open terminal sessions. Crashes or terminates the electerm process, disrupting all active remote sessions managed by the application. Achieves code execution at the privilege level of the electerm process, which may be the interactive desktop user, expanding attacker reach to any resource that user can access.

Back to search

CRITICALCVE-2026-45353Published 2026-05-28Modified 2026-05-28CNA GitHub_M

CVE-2026-45353: electerm: Local code through electerm's single-instance socket

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a local code execution vulnerability in electerm, an open-source terminal and remote-access client (SSH, SFTP, RDP, VNC, and related protocols). An attacker with any local user account on the host can exploit a weakness in electerm's single-instance socket to execute arbitrary code in the context of the running application. Successful exploitation gives the attacker full control over the electerm process and, through it, access to all sessions, credentials, and remote connections managed by that instance. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including internally built images that bundle electerm. Any image with an affected electerm version (3.0.6 through 3.8.8) will be flagged in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard surfaces this finding with its CVSS v4.0 score of 9.3 (Critical), weighted against each customer's compliance policy to determine urgency and routing. Triage tickets are directed to the appropriate team inbox within each customer organization based on image ownership and environment classification.

Available

Patch

No fix version has been published upstream as of this CVE's publication date; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix lands. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without requiring manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attacker needs an existing shell or process on the host; no network access to the target is required.
AuthenticationRequired
Any low-privilege local user account is sufficient; the attacker does not need administrative or root credentials.
Victim interactionNot required
No action from the electerm user or any other person on the system is needed to trigger the vulnerability.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, special memory layouts, or environmental dependencies are involved.

Blast Radius

Reads all credentials, private keys, and session data stored or actively used by the running electerm instance, including SSH, SFTP, RDP, and VNC connections.
Modifies electerm configuration and session state, enabling an attacker to redirect remote connections or inject commands into open terminal sessions.
Crashes or terminates the electerm process, disrupting all active remote sessions managed by the application.
Achieves code execution at the privilege level of the electerm process, which may be the interactive desktop user, expanding attacker reach to any resource that user can access.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously with no published fix as of the disclosure date. Because no patched version exists yet, HarborGuard re-evaluates the advisory on every ingest cycle (typically every few minutes) so that a rebuild becomes available immediately when electerm ships version 3.9.0 or later. In the interim, customers can use HarborGuard's policy controls to flag images containing affected electerm versions for compensating-control review. Recommended mitigations include restricting which local user accounts can interact with the electerm socket via OS-level permission policies, isolating developer workstations that run electerm from sensitive internal network segments, and auditing stored credential stores for unexpected access. For customers with auto-remediation enabled, the full rebuild-plus-regression-run-plus-PR flow will trigger automatically once an upstream fix version is confirmed in the advisory feed.

See how HarborGuard automates this

CVSS v4.0: 9.3
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

electerm / electerm
>= 3.0.6, < 3.89.0

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References