Microsoft
CVE-2026-34774
HIGH
Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from Vendor (https://github.com/electron/electron).
CVSS VectorVendor: https://github.com/electron/electron
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Impact
Apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.
Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.
Workarounds
Deny child window creation from offscreen renderers in your setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.
Fixed Versions
41.0.040.7.039.8.1
For more information
If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Use-after-free memory corruption in Electron framework (versions <39.8.1, <40.7.0, <41.0.0) allows unauthenticated remote attackers to potentially execute arbitrary code when offscreen rendering is enabled and child windows are permitted. The vulnerability triggers when a parent offscreen WebContents is destroyed while child windows remain active, causing subsequent paint operations to dereference freed memory. EPSS data not available; no public exploit identified at time of analysis. Fixed versions released by vendor.
Technical ContextAI
This is a classic use-after-free vulnerability (CWE-416) in Electron's offscreen rendering implementation. Electron, a framework for building cross-platform desktop applications using web technologies, provides an offscreen rendering mode that allows applications to render web content without displaying it on screen. The vulnerability occurs in the memory management layer when a parent WebContents object configured with 'webPreferences.offscreen: true' is destroyed while child windows opened via 'window.open()' remain alive. The child window's subsequent paint frame operations attempt to access the parent's freed memory region, leading to a dangling pointer dereference. This affects the npm package 'pkg:npm/electron' across multiple major version branches. The issue is specific to applications that both enable offscreen rendering AND allow child window creation through their 'setWindowOpenHandler' configuration-a relatively narrow attack surface that limits exposure to specific application architectures.
RemediationAI
Vendor-released patches are available across all affected version branches. Upgrade to Electron version 41.0.0 or later for the 41.x branch, version 40.7.0 or later for the 40.x branch, or version 39.8.1 or later for the 39.x branch. Organizations should update to the latest patched version within their current major version to maintain compatibility while addressing the vulnerability. For applications that cannot immediately upgrade, implement defensive workarounds by modifying the setWindowOpenHandler to deny child window creation from offscreen renderers, or implement lifecycle management to ensure all child windows are explicitly closed before destroying parent WebContents objects. Review application code for patterns where offscreen WebContents might be destroyed without proper child window cleanup. Consult the official security advisory at https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95 for additional implementation guidance. For questions regarding remediation strategies, contact the Electron security team at security@electronjs.org.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-532v-xpq5-8h95