Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption.
Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected.
Workarounds
Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable.
Fixed Versions
42.0.0-alpha.541.1.040.8.539.8.5
For more information
If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)
AnalysisAI
Use-after-free in Electron's offscreen rendering with GPU shared textures allows local attackers with high privileges to cause memory corruption or application crashes by invoking the texture release callback after its backing native state has been freed. The vulnerability affects Electron versions before 42.0.0-alpha.5, 41.1.0, 40.8.5, and 39.8.5, and only impacts applications explicitly enabling shared-texture offscreen rendering via webPreferences.offscreen.useSharedTexture: true.
Technical ContextAI
Electron's offscreen rendering feature supports GPU-accelerated shared texture rendering to improve performance in applications that need to render content outside the main window. The vulnerability resides in memory lifecycle management between the Chromium renderer process and the native backing texture resource. When a paint event texture with shared GPU texture enabled is created, a release() callback is registered to signal when the texture is no longer needed. Under certain conditions-likely related to garbage collection timing, event loop scheduling, or asynchronous resource cleanup-the callback reference can outlive the native texture resource it was designed to manage. Invoking release() after the native state has been freed constitutes a classic use-after-free (CWE-416) condition, dereferencing memory that may have been reallocated or sanitized, leading to either a crash (denial of service) or potential memory corruption if the freed region is reused.
RemediationAI
Vendor-released patches are available in Electron 42.0.0-alpha.5, 41.1.0, 40.8.5, and 39.8.5. Applications should upgrade to the earliest patched version compatible with their release branch: use 42.0.0-alpha.5 or later for the v42 alpha series, 41.1.0 or later for the v41 stable branch, 40.8.5 or later for the v40 stable branch, or 39.8.5 or later for the v39 stable branch. As an interim workaround for applications that cannot immediately upgrade, ensure that texture.release() is called as soon as the texture has been consumed by the rendering pipeline, before the texture object is eligible for garbage collection. This prevents the callback from outliving the underlying native resource. For details, consult the official GitHub advisory at https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-64mp.
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19352
GHSA-8x5q-pvf5-64mp