Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected. To mitigate this issue, ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
Published: 2026-04-06
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Use‑after‑free leading to potential crash or memory corruption
Action: Apply patch
AI Analysis

Impact

This vulnerability is a use‑after‑free in Electron’s handling of offscreen GPU shared textures. When the release() callback on a paint event texture is invoked after the associated native backing has been freed, the main process dereferences invalid memory. The result can be a crash or more severe memory corruption that may be exploitable for code execution in some contexts, although the advisory does not confirm direct remote code execution.

Affected Systems

The issue affects Electron applications that enable offscreen rendering with shared textures. Versions from 33.0.0‑alpha.1 up to, but not including, 39.8.5, 40.8.5, 41.1.0, and 42.0.0‑alpha.5 are vulnerable when webPreferences.offscreen.useSharedTexture is true. Applications that do not use shared‑texture offscreen rendering are not affected. The problem is specific to the Electron framework, not to end users’ operating systems or browsers.

Risk and Exploitability

The CVSS score of 2.3 indicates a low severity, and the EPSS score is not available. Because the flaw requires the application to employ offscreen rendering with shared textures, the likelihood of exploitation in the wild is limited. Attackers would need to trigger the release() callback after the texture’s native state has been freed, which is dependent on the app’s rendering logic. The vulnerability is not listed in the CISA KEV catalog, further suggesting that widespread exploitation has not been observed. The primary consequence is a crash or memory corruption, which may be leveraged for more advanced attacks if combined with other weaknesses.

Generated by OpenCVE AI on April 7, 2026 at 01:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Electron to version 39.8.5, 40.8.5, 41.1.0, or 42.0.0‑alpha.5 where the issue is fixed.
  • If upgrading is not immediately possible, ensure that texture.release() is invoked promptly after the texture is consumed and before the texture object becomes unreachable.
  • Disable shared‑texture offscreen rendering by setting webPreferences.offscreen.useSharedTexture to false if the feature is not required.
  • Monitor application stability for signs of crashes or memory corruption and consider rolling back to a known‑stable Electron release if the problem persists.

Generated by OpenCVE AI on April 7, 2026 at 01:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8x5q-pvf5-64mp Electron: Use-after-free in offscreen shared texture release() callback
History

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Weaknesses CWE-825
Vendors & Products Electron
Electron electron
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected. To mitigate this issue, ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
Title Electron has a use-after-free in offscreen shared texture release() callback
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 2.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Electron Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T16:00:32.633Z

Reserved: 2026-03-30T19:17:10.225Z

Link: CVE-2026-34764

cve-icon Vulnrichment

Updated: 2026-04-07T15:47:42.284Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-06T16:16:36.767

Modified: 2026-04-07T13:20:11.643

Link: CVE-2026-34764

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-06T15:46:40Z

Links: CVE-2026-34764 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T06:54:57Z

Weaknesses