{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/electron/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.3,"id":"CVE-2026-34780"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["electron","context-isolation","javascript","xss","CVE-2026-34780","defense-evasion","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eElectron, a framework for building cross-platform desktop applications using web technologies, is vulnerable to a context isolation bypass (CVE-2026-34780) when handling VideoFrame objects. This vulnerability affects Electron versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8. Specifically, applications are at risk if they utilize \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e to pass a VideoFrame object from a preload script to the main world. An attacker who achieves JavaScript execution in the main world, for example, through a cross-site scripting (XSS) vulnerability, can leverage a bridged VideoFrame to bypass context isolation and gain access to the isolated world, including Node.js APIs exposed to the preload script. This access enables further malicious activities, potentially leading to arbitrary code execution on the host system. Patches are available in versions 39.8.0, 40.7.0, and 41.0.0-beta.8.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Electron application using a vulnerable version of Electron (39.0.0-alpha.1 to 39.7.x, 40.0.0-alpha.1 to 40.6.x, or 41.0.0-alpha.1 to 41.0.0-beta.7) that also uses \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e to expose a \u003ccode\u003eVideoFrame\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious JavaScript code into the application\u0026rsquo;s main world. This can be achieved through various means, such as exploiting a cross-site scripting (XSS) vulnerability.\u003c/li\u003e\n\u003cli\u003eThe injected JavaScript code interacts with the bridged \u003ccode\u003eVideoFrame\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eVideoFrame\u003c/code\u003e object, due to the vulnerability, allows the attacker to bypass context isolation and gain access to the isolated world.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the access to the isolated world to access Node.js APIs that are exposed to the preload script.\u003c/li\u003e\n\u003cli\u003eThe attacker utilizes the exposed Node.js APIs to perform malicious actions, such as reading sensitive data, modifying application settings, or executing arbitrary code on the host system.\u003c/li\u003e\n\u003cli\u003eThe attacker may escalate privileges by exploiting further vulnerabilities or misconfigurations within the application or the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe final objective is to achieve arbitrary code execution on the host system, allowing the attacker to perform any desired actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability (CVE-2026-34780) allows an attacker to bypass context isolation in affected Electron applications, potentially leading to arbitrary code execution. The number of victims depends on the popularity and security posture of Electron applications that bridge VideoFrame objects. If the attack succeeds, an attacker could steal sensitive data, install malware, or completely compromise the user\u0026rsquo;s system. Sectors heavily reliant on Electron-based desktop applications, such as communication, development, and productivity tools, are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Electron applications to patched versions (39.8.0, 40.7.0, or 41.0.0-beta.8) to address CVE-2026-34780.\u003c/li\u003e\n\u003cli\u003eReview and sanitize all user-supplied input to prevent XSS vulnerabilities that can be leveraged to exploit CVE-2026-34780.\u003c/li\u003e\n\u003cli\u003eImplement strict Content Security Policy (CSP) to mitigate the risk of XSS attacks.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for suspicious JavaScript execution, especially related to \u003ccode\u003eVideoFrame\u003c/code\u003e objects and \u003ccode\u003econtextBridge.exposeInMainWorld()\u003c/code\u003e, to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for suspicious process execution via Node.js APIs to detect malicious behavior following a successful context isolation bypass.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-04T01:16:39Z","date_published":"2026-04-04T01:16:39Z","id":"/briefs/2026-04-electron-videoframes/","summary":"A context isolation bypass vulnerability exists in Electron applications that bridge VideoFrame objects via contextBridge, potentially allowing an attacker with JavaScript execution in the main world to access the isolated world and Node.js APIs.","title":"Electron VideoFrame Context Isolation Bypass Vulnerability (CVE-2026-34780)","url":"https://feed.craftedsignal.io/briefs/2026-04-electron-videoframes/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["electron","use-after-free","vulnerability","cve-2026-34774"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eElectron applications utilizing offscreen rendering (\u003ccode\u003ewebPreferences.offscreen: true\u003c/code\u003e) and permitting child windows via \u003ccode\u003ewindow.open()\u003c/code\u003e are susceptible to a use-after-free vulnerability, identified as CVE-2026-34774. This vulnerability arises when a parent offscreen \u003ccode\u003eWebContents\u003c/code\u003e is destroyed while a child window remains open. Subsequently, paint frames on the child window dereference freed memory, which can result in application crashes or memory corruption. Applications are only affected if they meet both criteria: employing offscreen rendering and allowing child window creation. Electron versions prior to 39.8.1, versions between 40.0.0-alpha.1 and 40.7.0, and versions between 41.0.0-alpha.1 and 41.0.0 are vulnerable. Defenders should prioritize patching or implementing workarounds to mitigate the risk of exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn Electron application is launched with \u003ccode\u003ewebPreferences.offscreen\u003c/code\u003e set to \u003ccode\u003etrue\u003c/code\u003e, enabling offscreen rendering.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s \u003ccode\u003esetWindowOpenHandler\u003c/code\u003e is configured to permit the creation of child windows using \u003ccode\u003ewindow.open()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUser interaction or application logic triggers the creation of a child window.\u003c/li\u003e\n\u003cli\u003eThe parent offscreen \u003ccode\u003eWebContents\u003c/code\u003e is destroyed, for example, by closing the main window or navigating to a different page that releases the \u003ccode\u003eWebContents\u003c/code\u003e object.\u003c/li\u003e\n\u003cli\u003eThe child window remains open and continues to receive paint events.\u003c/li\u003e\n\u003cli\u003eDuring a paint event, the child window attempts to access memory that was previously allocated to the parent \u003ccode\u003eWebContents\u003c/code\u003e but has now been freed.\u003c/li\u003e\n\u003cli\u003eThis memory access results in a use-after-free condition, leading to a crash or memory corruption.\u003c/li\u003e\n\u003cli\u003eAn attacker can potentially leverage this memory corruption to execute arbitrary code within the context of the Electron application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to application crashes and potential arbitrary code execution. The severity is high, as code execution could allow an attacker to gain control of the affected application, potentially leading to data theft, system compromise, or other malicious activities. Organizations using vulnerable Electron applications may experience service disruptions and potential data breaches. The number of affected applications and users is potentially large, given the widespread use of Electron for cross-platform desktop application development.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Electron versions 39.8.1, 40.7.0, or 41.0.0 or later to address CVE-2026-34774.\u003c/li\u003e\n\u003cli\u003eImplement the suggested workarounds by either denying child window creation from offscreen renderers in your \u003ccode\u003esetWindowOpenHandler\u003c/code\u003e or ensuring child windows are closed before the parent is destroyed.\u003c/li\u003e\n\u003cli\u003eMonitor application logs for unexpected crashes or memory-related errors that may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eConsider implementing runtime application self-protection (RASP) techniques to detect and prevent use-after-free vulnerabilities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T02:42:27Z","date_published":"2026-04-03T02:42:27Z","id":"/briefs/2026-04-electron-use-after-free/","summary":"A use-after-free vulnerability (CVE-2026-34774) exists in Electron applications using offscreen rendering and allowing child windows, potentially leading to crashes or memory corruption if the parent WebContents is destroyed before the child window.","title":"Electron Use-After-Free Vulnerability in Offscreen Rendering with Child Windows","url":"https://feed.craftedsignal.io/briefs/2026-04-electron-use-after-free/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["electron","use-after-free","vulnerability","powermonitor","windows","macos"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA use-after-free vulnerability has been identified in the \u003ccode\u003epowerMonitor\u003c/code\u003e module of Electron versions prior to 38.8.6, between 39.0.0-alpha.1 and 39.8.1, between 40.0.0-alpha.1 and 40.8.0, and between 41.0.0-alpha.1 and 41.0.0-beta.8. This vulnerability occurs when the native \u003ccode\u003ePowerMonitor\u003c/code\u003e object is garbage-collected, but associated OS-level resources (message window on Windows, shutdown handler on macOS) retain dangling references. This issue can lead to a crash or memory corruption when a session-change event on Windows or system shutdown on macOS attempts to dereference the freed memory. All Electron applications that utilize the \u003ccode\u003epowerMonitor\u003c/code\u003e module and its events (e.g., \u003ccode\u003esuspend\u003c/code\u003e, \u003ccode\u003eresume\u003c/code\u003e, \u003ccode\u003elock-screen\u003c/code\u003e) are potentially vulnerable. Defenders should prioritize patching Electron to the fixed versions to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn Electron application is built using a vulnerable version of Electron (e.g., 38.8.5).\u003c/li\u003e\n\u003cli\u003eThe application utilizes the \u003ccode\u003epowerMonitor\u003c/code\u003e module to listen for system power events.\u003c/li\u003e\n\u003cli\u003eThe application runs on a Windows or macOS system.\u003c/li\u003e\n\u003cli\u003eThe native \u003ccode\u003ePowerMonitor\u003c/code\u003e object is garbage-collected by the JavaScript engine. The associated OS-level resources on Windows (message window) or macOS (shutdown handler) are not properly released.\u003c/li\u003e\n\u003cli\u003eA session-change event occurs on Windows (e.g., user lock/unlock) or a system shutdown is initiated on macOS.\u003c/li\u003e\n\u003cli\u003eThe OS attempts to notify the previously freed \u003ccode\u003ePowerMonitor\u003c/code\u003e object about the session change or shutdown event.\u003c/li\u003e\n\u003cli\u003eThe OS dereferences the dangling pointer, leading to a use-after-free condition.\u003c/li\u003e\n\u003cli\u003eThe application crashes or experiences memory corruption, potentially leading to denial of service or other undefined behavior.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this use-after-free vulnerability can lead to application crashes and potential memory corruption. The impact affects any Electron application that uses the \u003ccode\u003epowerMonitor\u003c/code\u003e module, potentially disrupting application functionality and causing data loss. The vulnerability affects all platforms where Electron applications are deployed, specifically Windows and macOS. The severity is high due to the potential for application instability and the lack of application-side workarounds, requiring a patch to the Electron framework itself.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Electron to a patched version (41.0.0-beta.8, 40.8.0, 39.8.1, or 38.8.6) to resolve the use-after-free vulnerability in the \u003ccode\u003epowerMonitor\u003c/code\u003e module.\u003c/li\u003e\n\u003cli\u003eMonitor application crash logs for indicators of use-after-free conditions, especially following session-change events on Windows or system shutdowns on macOS.\u003c/li\u003e\n\u003cli\u003eImplement application monitoring to detect unexpected memory corruption events, which could be a sign of successful exploitation.\u003c/li\u003e\n\u003cli\u003eContact \u003ca href=\"mailto:security@electronjs.org\"\u003esecurity@electronjs.org\u003c/a\u003e for any questions or comments about the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T02:39:52Z","date_published":"2026-04-03T02:39:52Z","id":"/briefs/2024-01-29-electron-use-after-free/","summary":"A use-after-free vulnerability exists in the `powerMonitor` module of Electron applications on Windows and macOS. When the native `PowerMonitor` object is garbage-collected, dangling references are retained by OS-level resources. Subsequent session-change events on Windows or system shutdowns on macOS may dereference freed memory, potentially leading to a crash or memory corruption.","title":"Electron Use-After-Free Vulnerability in PowerMonitor Module","url":"https://feed.craftedsignal.io/briefs/2024-01-29-electron-use-after-free/"}],"language":"en","title":"CraftedSignal Threat Feed — Electron","version":"https://jsonfeed.org/version/1.1"}