CVE-2026-34774
Received Received - Intake
Use-After-Free in Electron Offscreen Rendering Causes Memory Corruption

Publication date: 2026-04-04

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.7.0, and 41.0.0, apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected. This issue has been patched in versions 39.8.1, 40.7.0, and 41.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34774
Affected Vendors & Products
Showing 16 associated CPEs
Vendor Product Version / Range
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron From 40.0.0 (inc) to 40.7.0 (exc)
electronjs electron 41.0.0
electronjs electron to 39.8.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-34774 is a use-after-free vulnerability in the Electron framework that affects applications using offscreen rendering with child windows created via window.open().

If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint operations on the child window access memory that has already been freed. This can cause the application to crash or experience memory corruption.

Only apps that enable offscreen rendering (by setting webPreferences.offscreen: true) and allow child windows through their setWindowOpenHandler are affected. Apps that do not use offscreen rendering or that block child window creation are not vulnerable.

The issue has been fixed in Electron versions 39.8.1, 40.7.0, and 41.0.0.

Impact Analysis

This vulnerability can lead to application crashes or memory corruption due to use-after-free errors when offscreen rendering and child windows are used improperly.

Because the vulnerability has a high CVSS score (8.1) with high impacts on confidentiality, integrity, and availability, it could potentially be exploited remotely without user interaction, leading to severe consequences such as data corruption, application instability, or denial of service.

Detection Guidance

This vulnerability occurs in Electron applications that use offscreen rendering with child windows created via window.open(). Detection involves identifying if your application uses the webPreferences.offscreen: true setting and permits child windows through setWindowOpenHandler.

Since this is a use-after-free vulnerability leading to crashes or memory corruption, monitoring application logs for crashes or unusual behavior related to rendering child windows can help detect exploitation attempts.

There are no specific network commands provided to detect this vulnerability directly, as it is related to application behavior and memory management.

Suggested steps include checking the Electron version used by your applications to see if it is prior to the patched versions (39.8.1, 40.7.0, 41.0.0). You can run commands to check the Electron version, for example:

  • In a terminal, run `electron --version` or check the package.json dependencies for the Electron version.
  • Review application source code or configuration files for `webPreferences.offscreen` set to true and usage of `setWindowOpenHandler` allowing child windows.
Mitigation Strategies

Immediate mitigation steps include updating Electron to a patched version: 39.8.1, 40.7.0, or 41.0.0 or later.

If updating is not immediately possible, you can apply workarounds such as:

  • Deny child window creation from offscreen renderers by modifying the `setWindowOpenHandler` to block or prevent child windows.
  • Ensure that all child windows are closed before the parent offscreen WebContents is destroyed to avoid use-after-free conditions.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart