What is the CVSS score of CVE-2026-34774?

CVE-2026-34774 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Microsoft are affected by CVE-2026-34774?

CVE-2026-34774 is a high-severity use-after-free vulnerability in Electron framework that enables unauthenticated remote code execution when offscreen rendering is enabled with child windows…. A patch is available.

Microsoft CVE-2026-34774

Q: How to fix or mitigate CVE-2026-34774?

Within 24 hours: identify all Electron-based applications in your environment and determine current framework versions. Within 7 days: upgrade to patched versions (Electron 39.8.1 or later, 40.7.0 or later, or 41.0.0 or later) and test in staging environments. Within 30 days: complete rollout of patched versions to all production systems and verify offscreen rendering configurations are necessary for business operations.

HIGH

Use After Free (CWE-416)

2026-04-03 https://github.com/electron/electron

GHSA-532v-xpq5-8h95

Buffer Overflow Use After Free Memory Corruption Microsoft

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 22, 2026 - 18:07 vuln.today

cvss_changed

Patch released

Apr 03, 2026 - 08:30 nvd

Patch available

Analysis Generated

Apr 03, 2026 - 02:45 vuln.today

CVE Published

Apr 03, 2026 - 02:42 nvd

HIGH 8.1

DescriptionNVD

Impact

Apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.

Workarounds

Deny child window creation from offscreen renderers in your setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.

Fixed Versions

41.0.0
40.7.0
39.8.1

For more information

If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Use-after-free memory corruption in Electron framework (versions <39.8.1, <40.7.0, <41.0.0) allows unauthenticated remote attackers to potentially execute arbitrary code when offscreen rendering is enabled and child windows are permitted. The vulnerability triggers when a parent offscreen WebContents is destroyed while child windows remain active, causing subsequent paint operations to dereference freed memory. …

RemediationAI

Within 24 hours: identify all Electron-based applications in your environment and determine current framework versions. Within 7 days: upgrade to patched versions (Electron 39.8.1 or later, 40.7.0 or later, or 41.0.0 or later) and test in staging environments. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory