CVE-2026-34780: Electron Context Isolation Bypass via VideoFrame
Platform
nodejs
Component
electron
Fixed in
39.8.0
CVE-2026-34780 describes a context isolation bypass vulnerability affecting Electron applications. Specifically, apps that utilize the WebCodecs API and pass `VideoFrame` objects across the `contextBridge` are susceptible. An attacker exploiting this vulnerability can execute JavaScript in the main world (e.g., via XSS) to gain unauthorized access to the isolated world, potentially accessing Node.js APIs exposed to the preload script. This affects Electron versions 39.0.0-alpha.1 through 39.8.0. Currently, there is no official patch available.
How to fix
Actualice a una versión de Electron que incluya la corrección, como 39.8.0, 40.7.0 o 41.0.0-beta.8. Asegúrese de que su preload script no esté exponiendo VideoFrame objects a través de contextBridge. Revise su código para identificar y eliminar cualquier uso de contextBridge.exposeInMainWorld() con VideoFrame objects.
Frequently asked questions
What is CVE-2026-34780?
CVE-2026-34780 is a context isolation bypass vulnerability in Electron that occurs when `VideoFrame` objects are improperly handled across the `contextBridge`, potentially allowing attackers to bypass security restrictions.
Am I affected by CVE-2026-34780?
You are affected if your Electron application (versions 39.0.0-alpha.1 through 39.8.0) uses a preload script that returns, resolves, or passes a `VideoFrame` object to the main world via `contextBridge.exposeInMainWorld()`.
How can I fix or mitigate CVE-2026-34780?
Currently, there is no official patch available. As a workaround, avoid passing `VideoFrame` objects from the preload script to the main world via `contextBridge.exposeInMainWorld()`.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free