Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.4
Electron apps: Video frame transfer via contextBridge can give attackers control
GHSA-jfqg-hf23-qpw2
CVE-2026-34780
GHSA-jfqg-hf23-qpw2
Summary
Electron apps that share video data between browser and Node.js environments are at risk of being compromised by an attacker who can inject malicious code. To fix, avoid sharing video frames directly and instead convert them to a safer format before transferring. Update to one of the fixed versions: Electron 41.0.0-beta.8, 40.7.0, or 39.8.0.
What to do
- Update electron to version 39.8.0.
- Update electron to version 40.7.0.
- Update electron to version 41.0.0-beta.8.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | electron | > 39.0.0-alpha.1 , <= 39.8.0 | 39.8.0 |
| – | electron | > 40.0.0-alpha.1 , <= 40.7.0 | 40.7.0 |
| – | electron | > 41.0.0-alpha.1 , <= 41.0.0-beta.8 | 41.0.0-beta.8 |
Original title
Electron: Context Isolation bypass via contextBridge VideoFrame transfer
Original description
### Impact
Apps that pass `VideoFrame` objects (from the WebCodecs API) across the `contextBridge` are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged `VideoFrame` to gain access to the isolated world, including any Node.js APIs exposed to the preload script.
Apps are only affected if a preload script returns, resolves, or passes a `VideoFrame` object to the main world via `contextBridge.exposeInMainWorld()`. Apps that do not bridge `VideoFrame` objects are not affected.
### Workarounds
Do not pass `VideoFrame` objects across `contextBridge`. If an app needs to transfer video frame data, serialize it to an `ArrayBuffer` or `ImageBitmap` before bridging.
### Fixed Versions
* `41.0.0-beta.8`
* `40.7.0`
* `39.8.0`
### For more information
If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
Apps that pass `VideoFrame` objects (from the WebCodecs API) across the `contextBridge` are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged `VideoFrame` to gain access to the isolated world, including any Node.js APIs exposed to the preload script.
Apps are only affected if a preload script returns, resolves, or passes a `VideoFrame` object to the main world via `contextBridge.exposeInMainWorld()`. Apps that do not bridge `VideoFrame` objects are not affected.
### Workarounds
Do not pass `VideoFrame` objects across `contextBridge`. If an app needs to transfer video frame data, serialize it to an `ArrayBuffer` or `ImageBitmap` before bridging.
### Fixed Versions
* `41.0.0-beta.8`
* `40.7.0`
* `39.8.0`
### For more information
If there are any questions or comments about this advisory, please email [[email protected]](mailto:[email protected])
ghsa CVSS3.1
8.4
Vulnerability type
CWE-668
CWE-1188
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026