Electron — CraftedSignal Threat Feed

Electron VideoFrame Context Isolation Bypass Vulnerability (CVE-2026-34780)

hello@craftedsignal.io — Sat, 04 Apr 2026 01:16:39 +0000

Electron, a framework for building cross-platform desktop applications using web technologies, is vulnerable to a context isolation bypass (CVE-2026-34780) when handling VideoFrame objects. This vulnerability affects Electron versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8. Specifically, applications are at risk if they utilize contextBridge.exposeInMainWorld() to pass a VideoFrame object from a preload script to the main world. An attacker who achieves JavaScript execution in the main world, for example, through a cross-site scripting (XSS) vulnerability, can leverage a bridged VideoFrame to bypass context isolation and gain access to the isolated world, including Node.js APIs exposed to the preload script. This access enables further malicious activities, potentially leading to arbitrary code execution on the host system. Patches are available in versions 39.8.0, 40.7.0, and 41.0.0-beta.8.

Attack Chain

The attacker identifies an Electron application using a vulnerable version of Electron (39.0.0-alpha.1 to 39.7.x, 40.0.0-alpha.1 to 40.6.x, or 41.0.0-alpha.1 to 41.0.0-beta.7) that also uses contextBridge.exposeInMainWorld() to expose a VideoFrame object.
The attacker injects malicious JavaScript code into the application’s main world. This can be achieved through various means, such as exploiting a cross-site scripting (XSS) vulnerability.
The injected JavaScript code interacts with the bridged VideoFrame object.
The VideoFrame object, due to the vulnerability, allows the attacker to bypass context isolation and gain access to the isolated world.
The attacker leverages the access to the isolated world to access Node.js APIs that are exposed to the preload script.
The attacker utilizes the exposed Node.js APIs to perform malicious actions, such as reading sensitive data, modifying application settings, or executing arbitrary code on the host system.
The attacker may escalate privileges by exploiting further vulnerabilities or misconfigurations within the application or the underlying operating system.
The final objective is to achieve arbitrary code execution on the host system, allowing the attacker to perform any desired actions.

Impact

Successful exploitation of this vulnerability (CVE-2026-34780) allows an attacker to bypass context isolation in affected Electron applications, potentially leading to arbitrary code execution. The number of victims depends on the popularity and security posture of Electron applications that bridge VideoFrame objects. If the attack succeeds, an attacker could steal sensitive data, install malware, or completely compromise the user’s system. Sectors heavily reliant on Electron-based desktop applications, such as communication, development, and productivity tools, are at higher risk.

Recommendation

Upgrade Electron applications to patched versions (39.8.0, 40.7.0, or 41.0.0-beta.8) to address CVE-2026-34780.
Review and sanitize all user-supplied input to prevent XSS vulnerabilities that can be leveraged to exploit CVE-2026-34780.
Implement strict Content Security Policy (CSP) to mitigate the risk of XSS attacks.
Monitor application logs for suspicious JavaScript execution, especially related to VideoFrame objects and contextBridge.exposeInMainWorld(), to detect potential exploitation attempts.
Deploy the Sigma rule for suspicious process execution via Node.js APIs to detect malicious behavior following a successful context isolation bypass.

Electron Use-After-Free Vulnerability in Offscreen Rendering with Child Windows

hello@craftedsignal.io — Fri, 03 Apr 2026 02:42:27 +0000

Electron applications utilizing offscreen rendering (webPreferences.offscreen: true) and permitting child windows via window.open() are susceptible to a use-after-free vulnerability, identified as CVE-2026-34774. This vulnerability arises when a parent offscreen WebContents is destroyed while a child window remains open. Subsequently, paint frames on the child window dereference freed memory, which can result in application crashes or memory corruption. Applications are only affected if they meet both criteria: employing offscreen rendering and allowing child window creation. Electron versions prior to 39.8.1, versions between 40.0.0-alpha.1 and 40.7.0, and versions between 41.0.0-alpha.1 and 41.0.0 are vulnerable. Defenders should prioritize patching or implementing workarounds to mitigate the risk of exploitation.

Attack Chain

An Electron application is launched with webPreferences.offscreen set to true, enabling offscreen rendering.
The application’s setWindowOpenHandler is configured to permit the creation of child windows using window.open().
User interaction or application logic triggers the creation of a child window.
The parent offscreen WebContents is destroyed, for example, by closing the main window or navigating to a different page that releases the WebContents object.
The child window remains open and continues to receive paint events.
During a paint event, the child window attempts to access memory that was previously allocated to the parent WebContents but has now been freed.
This memory access results in a use-after-free condition, leading to a crash or memory corruption.
An attacker can potentially leverage this memory corruption to execute arbitrary code within the context of the Electron application.

Impact

Successful exploitation of this vulnerability can lead to application crashes and potential arbitrary code execution. The severity is high, as code execution could allow an attacker to gain control of the affected application, potentially leading to data theft, system compromise, or other malicious activities. Organizations using vulnerable Electron applications may experience service disruptions and potential data breaches. The number of affected applications and users is potentially large, given the widespread use of Electron for cross-platform desktop application development.

Recommendation

Upgrade to Electron versions 39.8.1, 40.7.0, or 41.0.0 or later to address CVE-2026-34774.
Implement the suggested workarounds by either denying child window creation from offscreen renderers in your setWindowOpenHandler or ensuring child windows are closed before the parent is destroyed.
Monitor application logs for unexpected crashes or memory-related errors that may indicate exploitation attempts.
Consider implementing runtime application self-protection (RASP) techniques to detect and prevent use-after-free vulnerabilities.

Electron Use-After-Free Vulnerability in PowerMonitor Module

hello@craftedsignal.io — Fri, 03 Apr 2026 02:39:52 +0000

A use-after-free vulnerability has been identified in the powerMonitor module of Electron versions prior to 38.8.6, between 39.0.0-alpha.1 and 39.8.1, between 40.0.0-alpha.1 and 40.8.0, and between 41.0.0-alpha.1 and 41.0.0-beta.8. This vulnerability occurs when the native PowerMonitor object is garbage-collected, but associated OS-level resources (message window on Windows, shutdown handler on macOS) retain dangling references. This issue can lead to a crash or memory corruption when a session-change event on Windows or system shutdown on macOS attempts to dereference the freed memory. All Electron applications that utilize the powerMonitor module and its events (e.g., suspend, resume, lock-screen) are potentially vulnerable. Defenders should prioritize patching Electron to the fixed versions to mitigate the risk.

Attack Chain

An Electron application is built using a vulnerable version of Electron (e.g., 38.8.5).
The application utilizes the powerMonitor module to listen for system power events.
The application runs on a Windows or macOS system.
The native PowerMonitor object is garbage-collected by the JavaScript engine. The associated OS-level resources on Windows (message window) or macOS (shutdown handler) are not properly released.
A session-change event occurs on Windows (e.g., user lock/unlock) or a system shutdown is initiated on macOS.
The OS attempts to notify the previously freed PowerMonitor object about the session change or shutdown event.
The OS dereferences the dangling pointer, leading to a use-after-free condition.
The application crashes or experiences memory corruption, potentially leading to denial of service or other undefined behavior.

Impact

Successful exploitation of this use-after-free vulnerability can lead to application crashes and potential memory corruption. The impact affects any Electron application that uses the powerMonitor module, potentially disrupting application functionality and causing data loss. The vulnerability affects all platforms where Electron applications are deployed, specifically Windows and macOS. The severity is high due to the potential for application instability and the lack of application-side workarounds, requiring a patch to the Electron framework itself.

Recommendation

Upgrade Electron to a patched version (41.0.0-beta.8, 40.8.0, 39.8.1, or 38.8.6) to resolve the use-after-free vulnerability in the powerMonitor module.
Monitor application crash logs for indicators of use-after-free conditions, especially following session-change events on Windows or system shutdowns on macOS.
Implement application monitoring to detect unexpected memory corruption events, which could be a sign of successful exploitation.
Contact security@electronjs.org for any questions or comments about the advisory.