CVE-2026-34774
Published: 04 April 2026
Summary
CVE-2026-34774 is a high-severity Use After Free (CWE-416) vulnerability in Electronjs Electron. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through patching Electron to versions 39.8.1, 40.7.0, or 41.0.0 directly eliminates the use-after-free vulnerability in offscreen WebContents handling.
Configuration settings that disable offscreen rendering (webPreferences.offscreen: false) or deny child windows via setWindowOpenHandler prevent the vulnerable conditions from occurring.
Memory protection mechanisms such as ASLR and DEP mitigate exploitation of the use-after-free by complicating reliable dereferencing of freed memory in child window paint frames.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free memory corruption in Electron client framework enables exploitation for code execution in desktop applications (high C/I/A impact).
NVD Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.7.0, and 41.0.0, apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the…
more
parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected. This issue has been patched in versions 39.8.1, 40.7.0, and 41.0.0.
Deeper analysisAI
CVE-2026-34774 is a use-after-free vulnerability (CWE-416) in the Electron framework, used for building cross-platform desktop applications with JavaScript, HTML, and CSS. It affects Electron versions prior to 39.8.1, 40.7.0, and 41.0.0, but only applications that enable offscreen rendering via webPreferences.offscreen: true and permit child windows through their setWindowOpenHandler implementation allowing window.open().
The vulnerability arises when a parent offscreen WebContents is destroyed while a child window opened via window.open() remains active, causing subsequent paint frames on the child to dereference freed memory and potentially lead to a crash or memory corruption. Exploitation requires network access (AV:N) with no privileges (PR:N) or user interaction (UI:N), but high attack complexity (AC:H), yielding a CVSS 3.1 score of 8.1 with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Any remote attacker able to influence app behavior under these specific conditions could trigger it.
The Electron security advisory (GHSA-532v-xpq5-8h95) at https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95 confirms the issue and states that it has been addressed in versions 39.8.1, 40.7.0, and 41.0.0. Applications not using offscreen rendering or denying child windows are unaffected; practitioners should verify and update Electron-based apps to these versions for mitigation.
Details
- CWE(s)