logo

Database

Inappropriate coding practices In electron

Description

Electron: Use-after-free in offscreen child window paint callback

Impact

Apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.

Workarounds

Deny child window creation from offscreen renderers in your setWindowOpenHandler, or ensure child windows are closed before the parent is destroyed.

Fixed Versions

    41.0.0

    40.7.0

    39.8.1

For more information

If there are any questions or comments about this advisory, please email [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-347742. NVD-2026-347743. OSV-2026-347744. GHSA-532v-xpq5-8h955. GCVE-2026-34774

References

1. https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.