CVE-2026-34774: Electron: Use-after-free in offscreen child window paint callback

April 3, 2026 (updated April 6, 2026)

Apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected.

References

github.com/advisories/GHSA-532v-xpq5-8h95
github.com/electron/electron
github.com/electron/electron/security/advisories/GHSA-532v-xpq5-8h95
nvd.nist.gov/vuln/detail/CVE-2026-34774

Code Behaviors & Features

Detect and mitigate CVE-2026-34774 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →