Fluid Attacks Database

Description

Electron: Context Isolation bypass via contextBridge VideoFrame transfer

Impact

Apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script.

Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not bridge VideoFrame objects are not affected.

Workarounds

Do not pass VideoFrame objects across contextBridge. If an app needs to transfer video frame data, serialize it to an ArrayBuffer or ImageBitmap before bridging.

Fixed Versions

41.0.0-beta.8

40.7.0

39.8.0

For more information

If there are any questions or comments about this advisory, please email [email protected]

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	electron	>=39.0.0-alpha.1 <39.8.0 \|\| >=40.0.0-alpha.1 <40.7.0 \|\| >=41.0.0-alpha.1 <41.0.0-beta.8	39.8.0, 40.7.0, 41.0.0-beta.8

Aliases

1. CVE-2026-347802. NVD-2026-347803. OSV-2026-347804. GHSA-jfqg-hf23-qpw25. GCVE-2026-34780

References

1. https://github.com/electron/electron/security/advisories/GHSA-jfqg-hf23-qpw2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.