Use-After-Free Vulnerability in Electron Framework for Cross-Platform Applications
CVE-2026-34774

8.1HIGH

Key Information:

Vendor: Electron
Status: Electron
Vendor: CVE Published:; 3 April 2026

What is CVE-2026-34774?

The Electron framework, used for building cross-platform desktop applications, exhibits a vulnerability related to offscreen rendering. Specifically, if a parent offscreen WebContents is disposed of while its child window is still open, this can lead to scenarios where the child window attempts to utilize freed memory. This results in potential crashes or memory corruption. The issue specifically arises when apps use the 'offscreen' webPreferences setting and allow child windows to be opened via window.open(). This vulnerability has been addressed in updates 39.8.1, 40.7.0, and 41.0.0, which remediate the identified risks.

Affected Version(s)

electron < 39.8.1 < 39.8.1

electron >= 40.0.0-alpha.1, < 40.7.0 < 40.0.0-alpha.1, 40.7.0

electron >= 41.0.0-alpha.1, < 41.0.0 < 41.0.0-alpha.1, 41.0.0

References

https://github.com/electron/electron/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 3, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34774 Data

JSON