Electron patches context isolation bypass via bridged VideoFrames

2 min readPublished 04 Apr 2026Updated 04 Apr 2026Source: CVEProject (cvelistV5)

CVE-2026-34780 News JavaScript Desktop Security

TL;DR — Electron apps that pass VideoFrame objects through contextBridge can enable a context isolation bypass, letting renderer-controlled JavaScript reach the isolated world (including preload-exposed Node.js APIs).

What happened

Electron is a framework for building cross-platform desktop applications using JavaScript/HTML/CSS (Chromium + Node.js), commonly used for developer tooling and enterprise desktop apps.

CVE-2026-34780 describes a context isolation bypass affecting Electron apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge. Per the CVE record, an attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script.

This is scored CVSS v3.1 8.4 (High). The practical risk is concentrated in apps that treat contextIsolation as a hard security boundary while also bridging complex object types across worlds; the exploit chain often starts with “just an XSS” and ends with privileged desktop capability access via preload bridges.

Who is impacted

Electron-based applications on affected release lines.
Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld().
Apps that do not bridge VideoFrame objects are not affected.

Component	Affected versions (per CVE record)	Patched versions (per CVE record)
`electron`	`>= 39.0.0-alpha.1, < 39.8.0`	`39.8.0`
`electron`	`>= 40.0.0-alpha.1, < 40.7.0`	`40.7.0`
`electron`	`>= 41.0.0-alpha.1, < 41.0.0-beta.8`	`41.0.0-beta.8`

What to do now

Follow upstream Electron remediation guidance and apply a patched Electron release available at the time of writing.
If your app uses contextBridge, audit preload code paths for any VideoFrame object crossing the bridge (returning, resolving, or passing through contextBridge.exposeInMainWorld()), and remove/avoid bridging VideoFrame objects where feasible.
Treat this as a “renderer-to-preload escalation” class risk: review your renderer injection surfaces (e.g., XSS in BrowserWindow content) and validate that the preload only exposes the minimum necessary APIs to the renderer.
Inventory Electron versions across desktop fleets (packaged apps, auto-updaters, embedded Electron in internal tools) and prioritize updates for apps that expose untrusted content or have high-value local credentials/secrets.

Additional Information

Upstream advisory referenced by the CVE record: https://github.com/electron/electron/security/advisories/GHSA-jfqg-hf23-qpw2

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.