Skip to main content

Microsoft CVE-2026-34774

HIGH
Use After Free (CWE-416)
2026-04-03 https://github.com/electron/electron GHSA-532v-xpq5-8h95
8.1
CVSS 3.1 · Vendor: https://github.com/electron/electron
Share

Severity by source

Vendor (https://github.com/electron/electron) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (https://github.com/electron/electron).

CVSS VectorVendor: https://github.com/electron/electron

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 22, 2026 - 18:07 vuln.today
cvss_changed
Patch released
Apr 03, 2026 - 08:30 nvd
Patch available
Analysis Generated
Apr 03, 2026 - 02:45 vuln.today
CVE Published
Apr 03, 2026 - 02:42 nvd
HIGH 8.1

DescriptionCVE.org

Impact

Apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.

Workarounds

Deny child window creation from offscreen renderers in your setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.

Fixed Versions

  • 41.0.0
  • 40.7.0
  • 39.8.1

For more information

If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Use-after-free memory corruption in Electron framework (versions <39.8.1, <40.7.0, <41.0.0) allows unauthenticated remote attackers to potentially execute arbitrary code when offscreen rendering is enabled and child windows are permitted. The vulnerability triggers when a parent offscreen WebContents is destroyed while child windows remain active, causing subsequent paint operations to dereference freed memory. EPSS data not available; no public exploit identified at time of analysis. Fixed versions released by vendor.

Technical ContextAI

This is a classic use-after-free vulnerability (CWE-416) in Electron's offscreen rendering implementation. Electron, a framework for building cross-platform desktop applications using web technologies, provides an offscreen rendering mode that allows applications to render web content without displaying it on screen. The vulnerability occurs in the memory management layer when a parent WebContents object configured with 'webPreferences.offscreen: true' is destroyed while child windows opened via 'window.open()' remain alive. The child window's subsequent paint frame operations attempt to access the parent's freed memory region, leading to a dangling pointer dereference. This affects the npm package 'pkg:npm/electron' across multiple major version branches. The issue is specific to applications that both enable offscreen rendering AND allow child window creation through their 'setWindowOpenHandler' configuration-a relatively narrow attack surface that limits exposure to specific application architectures.

RemediationAI

Vendor-released patches are available across all affected version branches. Upgrade to Electron version 41.0.0 or later for the 41.x branch, version 40.7.0 or later for the 40.x branch, or version 39.8.1 or later for the 39.x branch. Organizations should update to the latest patched version within their current major version to maintain compatibility while addressing the vulnerability. For applications that cannot immediately upgrade, implement defensive workarounds by modifying the setWindowOpenHandler to deny child window creation from offscreen renderers, or implement lifecycle management to ensure all child windows are explicitly closed before destroying parent WebContents objects. Review application code for patterns where offscreen WebContents might be destroyed without proper child window cleanup. Consult the official security advisory at https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95 for additional implementation guidance. For questions regarding remediation strategies, contact the Electron security team at security@electronjs.org.

Vendor StatusVendor

Share

CVE-2026-34774 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy