VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ttvv-eca2-sfhu

Essentials
Severities (25)
References (7)
Severity details (10)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-ttvv-eca2-sfhu
Aliases	CVE-2026-34774 GHSA-532v-xpq5-8h95
Summary	Electron: Use-after-free in offscreen child window paint callback ### Impact Apps that use offscreen rendering and allow child windows via `window.open()` may be vulnerable to a use-after-free. If the parent offscreen `WebContents` is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering (`webPreferences.offscreen: true`) and their `setWindowOpenHandler` permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected. ### Workarounds Deny child window creation from offscreen renderers in your `setWindowOpenHandler`, or ensure child windows are closed before the parent is destroyed. ### Fixed Versions * `41.0.0` * `40.7.0` * `39.8.1` ### For more information If there are any questions or comments about this advisory, please email [security@electronjs.org](mailto:security@electronjs.org)
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (4)

CWE-416	Use After Free
CWE-825	Expired Pointer Dereference
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34774.json
epss	0.00017	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00018	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00019	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00019	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
epss	0.00056	https://api.first.org/data/v1/epss?cve=CVE-2026-34774
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-532v-xpq5-8h95
cvssv3.1	8.1	https://github.com/electron/electron
generic_textual	HIGH	https://github.com/electron/electron
cvssv3.1	8.1	https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95
cvssv3.1_qr	HIGH	https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95
generic_textual	HIGH	https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95
ssvc	Track	https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95
cvssv3.1	8.1	https://nvd.nist.gov/vuln/detail/CVE-2026-34774
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2026-34774

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34774.json
		https://api.first.org/data/v1/epss?cve=CVE-2026-34774
		https://github.com/electron/electron
		https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95
		https://nvd.nist.gov/vuln/detail/CVE-2026-34774
2455026		https://bugzilla.redhat.com/show_bug.cgi?id=2455026
GHSA-532v-xpq5-8h95		https://github.com/advisories/GHSA-532v-xpq5-8h95

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34774.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-04-06T15:28:41Z/ Found at https://github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-34774

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.04115
EPSS Score	0.00017
Published At	April 21, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-03T21:42:24.022776+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-532v-xpq5-8h95/GHSA-532v-xpq5-8h95.json	38.1.0