CVE-2026-34774

Name of the Vulnerable Software and Affected Versions Electron versions prior to 39.8.1, 40.7.0, and 41.0.0

Description Electron applications utilizing offscreen rendering and allowing child windows through window.open() may experience a use-after-free condition. Specifically, if a parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child window can dereference freed memory, potentially leading to a crash or memory corruption. Applications are only susceptible if they employ offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler allows the creation of child windows.

Recommendations Versions prior to 39.8.1: Update to version 39.8.1 or later. Versions prior to 40.7.0: Update to version 40.7.0 or later. Versions prior to 41.0.0: Update to version 41.0.0 or later. As a workaround, deny child window creation from offscreen renderers in your setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.