CVE-2026-34774: Electron Use-After-Free in Offscreen Rendering
Platform
nodejs
Component
electron
Fixed in
39.8.1
CVE-2026-34774 is a use-after-free vulnerability affecting Electron applications that utilize offscreen rendering and permit child windows via the `window.open()` method. This flaw can lead to a crash or memory corruption if the parent offscreen `WebContents` is destroyed while a child window remains open. Applications using Electron versions up to 39.8.1 are potentially affected. A workaround is to deny child window creation.
How to fix
Actualice a Electron versión 39.8.1 o superior, 40.7.0 o superior, o 41.0.0 o superior. Asegúrese de que las aplicaciones no utilicen offscreen rendering (webPreferences.offscreen: true) o que el manejador de apertura de ventanas (window.openHandler) esté configurado para denegar ventanas secundarias si el offscreen rendering es necesario.
Frequently asked questions
What is CVE-2026-34774?
CVE-2026-34774 is a use-after-free vulnerability in Electron that occurs when offscreen rendering is enabled and child windows are allowed, potentially leading to crashes or memory corruption.
Am I affected by CVE-2026-34774?
You are affected if your Electron application uses offscreen rendering (`webPreferences.offscreen: true`) and allows child windows via `window.open()`. Electron versions up to and including 39.8.1 are vulnerable.
How do I fix or mitigate CVE-2026-34774?
As a workaround, deny the creation of child windows in your application to prevent the use-after-free condition. An official patch may be available in later versions of Electron.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free