Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.7.0, and 41.0.0, apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected. This issue has been patched in versions 39.8.1, 40.7.0, and 41.0.0.
Published: 2026-04-03
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a use‑after‑free triggered during the paint callback of a child window rendered offscreen. When an offscreen WebContents parent is destroyed while a child window remains open, subsequent paint frames on that child dereference freed memory. The result can be a crash or memory corruption, potentially allowing exploitation to compromise application integrity or stability.

Affected Systems

The issue affects Electron releases prior to 39.8.1, 40.7.0, and 41.0.0. Applications that enable offscreen rendering (webPreferences.offscreen: true) and allow child windows via window.open() are at risk. All other Electron applications that do not use offscreen rendering or explicitly deny child windows are not affected.

Risk and Exploitability

The CVSS score of 8.1 classifies it as high severity, and the very low EPSS score (<1%) indicates a low probability of exploitation in the wild. It is not listed in CISA’s KEV catalog. Although the description only states a crash or memory corruption, the use‑after‑free could allow malicious code to run if an attacker crafts a suitable payload. The attack likely requires the application to be executed with the vulnerable settings, so threat vectors are limited to user‑controlled applications.

Generated by OpenCVE AI on April 7, 2026 at 01:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patched version of Electron (39.8.1, 40.7.0, or 41.0.0) to all applications that use offscreen rendering.
  • If upgrade is not immediately feasible, disable offscreen rendering by setting webPreferences.offscreen to false for applications that do not require it.
  • Alternatively, ensure setWindowOpenHandler denies child windows for any application that must stay on older Electron releases.
  • Verify that no other processes hold references to offscreen WebContents before terminating them.

Generated by OpenCVE AI on April 7, 2026 at 01:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-532v-xpq5-8h95 Electron: Use-after-free in offscreen child window paint callback
History

Wed, 22 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Electronjs
Electronjs electron
CPEs cpe:2.3:a:electronjs:electron:*:*:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:alpha6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta1:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta2:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta3:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta4:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta5:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta6:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta7:*:*:*:node.js:*:*
cpe:2.3:a:electronjs:electron:41.0.0:beta8:*:*:*:node.js:*:*
Vendors & Products Electronjs
Electronjs electron

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Weaknesses CWE-825
Vendors & Products Electron
Electron electron
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.7.0, and 41.0.0, apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected. This issue has been patched in versions 39.8.1, 40.7.0, and 41.0.0.
Title Electron: Use-after-free in offscreen child window paint callback
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Electron Electron
Electronjs Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T03:55:38.650Z

Reserved: 2026-03-30T19:54:55.555Z

Link: CVE-2026-34774

cve-icon Vulnrichment

Updated: 2026-04-06T15:29:18.652Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-04T00:16:18.447

Modified: 2026-04-22T17:53:42.977

Link: CVE-2026-34774

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-03T23:52:38Z

Links: CVE-2026-34774 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:16:24Z

Weaknesses