CVE-2026-34780

Name of the Vulnerable Software and Affected Versions Electron versions 39.0.0-alpha.1 through 39.7.9, 40.0.0-alpha.1 through 40.6.9, and 41.0.0-alpha.1 through 41.0.0-beta.7

Description Electron applications that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are susceptible to a context isolation bypass. An attacker with the ability to execute JavaScript in the main world, such as through a cross-site scripting (XSS) attack, can leverage a bridged VideoFrame to gain access to the isolated world, potentially including Node.js APIs exposed via the preload script. Applications are only at risk if a preload script returns, resolves, or passes a VideoFrame object to the main world using contextBridge.exposeInMainWorld(). The issue is addressed in versions 39.8.0, 40.7.0, and 41.0.0-beta.8.

Recommendations Versions 39.0.0-alpha.1 through 39.7.9 should be updated to version 39.8.0. Versions 40.0.0-alpha.1 through 40.6.9 should be updated to version 40.7.0. Versions 41.0.0-alpha.1 through 41.0.0-beta.7 should be updated to version 41.0.0-beta.8. As a workaround, avoid passing VideoFrame objects across the contextBridge. If video frame data transfer is necessary, serialize it to an ArrayBuffer or ImageBitmap before bridging.