CVE-2026-34780
Received Received - Intake
Context Isolation Bypass in Electron via VideoFrame Bridging

Publication date: 2026-04-04

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected. This issue has been patched in versions 39.8.0, 40.7.0, and 41.0.0-beta.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-04
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34780
Affected Vendors & Products
Showing 15 associated CPEs
Vendor Product Version / Range
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron 41.0.0
electronjs electron From 39.0.0 (inc) to 39.8.0 (exc)
electronjs electron From 40.0.0 (inc) to 40.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-668 The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to bypass context isolation and gain access to Node.js APIs exposed in the preload script by exploiting bridged VideoFrame objects. Such unauthorized access can lead to exposure, modification, or disruption of sensitive data handled by Electron applications.

Because of the high confidentiality, integrity, and availability impacts (as indicated by the CVSS score), this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.

Applications affected by this vulnerability may fail to meet the security requirements mandated by these standards unless they apply the recommended patches or mitigations, such as avoiding passing VideoFrame objects directly across the contextBridge.

Executive Summary

CVE-2026-34780 is a context isolation bypass vulnerability in the Electron framework affecting certain versions. It occurs when applications pass VideoFrame objects, from the WebCodecs API, across Electron's contextBridge using contextBridge.exposeInMainWorld(). This allows an attacker who can execute JavaScript in the main world (for example, via cross-site scripting) to use the bridged VideoFrame object to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Essentially, this bypasses the intended security boundary between the main and isolated contexts.

Only apps that transfer VideoFrame objects through the contextBridge are affected. Apps that do not pass these objects are not vulnerable. The issue has been patched in Electron versions 39.8.0, 40.7.0, and 41.0.0-beta.8.

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker who can run JavaScript in the main world (such as through cross-site scripting) to bypass context isolation protections. This means the attacker can access the isolated world and any Node.js APIs exposed there, potentially leading to full compromise of the application.

  • Remote attackers can exploit this vulnerability over the network.
  • The attack requires user interaction and has high complexity.
  • Successful exploitation can lead to high impact on confidentiality, integrity, and availability of the affected application.
Detection Guidance

This vulnerability occurs in Electron applications that pass VideoFrame objects across the contextBridge using contextBridge.exposeInMainWorld(). Detection involves identifying if your Electron app uses this pattern.

Since the vulnerability is related to JavaScript code in the application, detection typically requires code review or static analysis rather than network commands.

Specifically, you should check your preload scripts and main world scripts for usage of contextBridge.exposeInMainWorld() passing VideoFrame objects.

There are no specific network commands or system commands provided to detect this vulnerability directly.

Mitigation Strategies

To mitigate this vulnerability, avoid passing VideoFrame objects directly across the contextBridge in your Electron application.

Instead, serialize video frame data into safer formats such as ArrayBuffer or ImageBitmap before exposing them via contextBridge.exposeInMainWorld().

Additionally, upgrade your Electron framework to one of the patched versions: 39.8.0, 40.7.0, or 41.0.0-beta.8 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34780. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart