Description
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected. To mitigate this issue, ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
Published: 2026-04-06
Score: 2.3 Low
EPSS: n/a
KEV: No
Impact: Memory corruption
Action: Patch
AI Analysis

Impact

Electron exposes a use‑after‑free when offscreen rendering with GPU shared textures is enabled. The release() callback for a paint‑event texture may be invoked after its backing native state has been freed, causing the main process to dereference freed memory. This can lead to a crash or memory corruption and is classified as CWE‑416.

Affected Systems

The issue affects Electron releases from 33.0.0‑alpha.1 up to, but not including, 39.8.5, 40.8.5, 41.1.0, and 42.0.0‑alpha.5. Applications that enable offscreen rendering with shared textures via webPreferences.offscreen: { useSharedTexture: true } are vulnerable. Projects that do not enable shared‑texture offscreen rendering are not impacted.

Risk and Exploitability

With a CVSS score of 2.3 the vulnerability has low severity and the exploit probability is not quantified. It is not listed in the CISA KEV catalogue, suggesting no known widespread exploitation. The attack vector is inferred to be local or application‑level, requiring an attacker to run malicious code within an Electron application that uses the vulnerable offscreen rendering configuration. Because the issue leads only to crashes or memory corruption, the potential damage is limited to destabilization of the application unless an attacker can leverage the vulnerability to execute arbitrary code.

Generated by OpenCVE AI on April 6, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Electron to version 39.8.5 or later, including 40.8.5, 41.1.0, or 42.0.0‑alpha.5.
  • If upgrading immediately is not possible, ensure that texture.release() is called promptly after the texture has been consumed and before the texture object becomes unreachable.
  • Alternatively, disable shared texture offscreen rendering by setting webPreferences.offscreen.useSharedTexture to false if the feature is not needed.

Generated by OpenCVE AI on April 6, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8x5q-pvf5-64mp Electron: Use-after-free in offscreen shared texture release() callback
History

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Electron
Electron electron
Weaknesses CWE-825
Vendors & Products Electron
Electron electron
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected. To mitigate this issue, ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
Title Electron has a use-after-free in offscreen shared texture release() callback
Weaknesses CWE-416
References
Metrics cvssV3_1

{'score': 2.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Electron Electron
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T15:46:40.189Z

Reserved: 2026-03-30T19:17:10.225Z

Link: CVE-2026-34764

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-06T16:16:36.767

Modified: 2026-04-06T16:16:36.767

Link: CVE-2026-34764

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-06T15:46:40Z

Links: CVE-2026-34764 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:31:50Z

Weaknesses