Platform
nodejs
Component
electron
Fixed in
39.8.2
40.0.1
41.0.1
CVE-2026-34774 is a use-after-free vulnerability affecting Electron applications that utilize offscreen rendering and permit child windows via the window.open() method. This flaw can lead to a crash or memory corruption if the parent offscreen WebContents is destroyed while a child window remains open. Applications using Electron versions up to 39.8.1 are potentially affected. A workaround is to deny child window creation.
CVE-2026-34774 affects Electron applications utilizing offscreen rendering and opening child windows via window.open(). Prior to versions 39.8.1, 40.7.0, and 41.0.0, if the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child can dereference freed memory, potentially leading to a crash or memory corruption. This issue specifically targets applications that explicitly use offscreen rendering and the window.open() functionality. The CVSS severity is 8.1, indicating a high-risk vulnerability. The nature of the memory corruption can cause the application to behave unpredictably or crash.
Exploitation of this vulnerability requires an attacker to be able to control the JavaScript code executed within the vulnerable Electron application. This could be achieved through malicious code injection, or if the application loads content from untrusted sources. Once the attacker has control over the code, they can manipulate the window lifecycle to trigger the use of freed memory. Due to the nature of offscreen rendering, exploitation can be complex and dependent on the specific application architecture. The lack of KEV (Knowledge Enhanced Vulnerability) indicates that there is no public detailed information regarding the real-world exploitation of this vulnerability.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The solution for CVE-2026-34774 is to upgrade to Electron version 39.8.1 or higher, 40.7.0 or higher, or 41.0.0 or higher. These versions include fixes that prevent the dereferencing of freed memory. Developers are strongly encouraged to update their Electron applications as soon as possible to mitigate this risk. Additionally, reviewing code to identify and remove unnecessary use of offscreen rendering and child windows opened with window.open() is recommended to reduce the attack surface. Thorough testing after the upgrade is crucial to ensure application stability.
Actualice a la versión 39.8.1, 40.7.0 o 41.0.0 de Electron para mitigar la vulnerabilidad de uso tras la liberación. Asegúrese de que las aplicaciones no utilicen offscreen rendering (webPreferences.offscreen: true) o que el manejo de ventanas secundarias esté configurado correctamente para evitar la apertura de ventanas secundarias no deseadas.
Vulnerability analysis and critical alerts directly to your inbox.
No, it only affects applications that utilize offscreen rendering and the window.open() function.
If you cannot update immediately, consider implementing temporary mitigation measures, such as input validation and limiting memory access.
Check the version of Electron you are using. If it is prior to 39.8.1, 40.7.0, or 41.0.0, your application is vulnerable.
It's a technique that allows rendering web content on a surface separate from the main window, which can improve performance in some cases.
While there are no specific automated tools, a manual code review for offscreen and window.open() can help identify usage.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.