Skip to main content

CVE-2026-34764

| EUVDEUVD-2026-19352 LOW
Use After Free (CWE-416)
2026-04-03 https://github.com/electron/electron GHSA-8x5q-pvf5-64mp
2.3
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.3 LOW
AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Apr 04, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 03, 2026 - 22:15 euvd
EUVD-2026-19352
Analysis Generated
Apr 03, 2026 - 22:15 vuln.today
CVE Published
Apr 03, 2026 - 21:52 nvd
LOW 2.3

DescriptionGitHub Advisory

Impact

Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected.

Workarounds

Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable.

Fixed Versions

  • 42.0.0-alpha.5
  • 41.1.0
  • 40.8.5
  • 39.8.5

For more information

If there are any questions or comments about this advisory, send an email to [security@electronjs.org](mailto:security@electronjs.org)

AnalysisAI

Use-after-free in Electron's offscreen rendering with GPU shared textures allows local attackers with high privileges to cause memory corruption or application crashes by invoking the texture release callback after its backing native state has been freed. The vulnerability affects Electron versions before 42.0.0-alpha.5, 41.1.0, 40.8.5, and 39.8.5, and only impacts applications explicitly enabling shared-texture offscreen rendering via webPreferences.offscreen.useSharedTexture: true.

Technical ContextAI

Electron's offscreen rendering feature supports GPU-accelerated shared texture rendering to improve performance in applications that need to render content outside the main window. The vulnerability resides in memory lifecycle management between the Chromium renderer process and the native backing texture resource. When a paint event texture with shared GPU texture enabled is created, a release() callback is registered to signal when the texture is no longer needed. Under certain conditions-likely related to garbage collection timing, event loop scheduling, or asynchronous resource cleanup-the callback reference can outlive the native texture resource it was designed to manage. Invoking release() after the native state has been freed constitutes a classic use-after-free (CWE-416) condition, dereferencing memory that may have been reallocated or sanitized, leading to either a crash (denial of service) or potential memory corruption if the freed region is reused.

RemediationAI

Vendor-released patches are available in Electron 42.0.0-alpha.5, 41.1.0, 40.8.5, and 39.8.5. Applications should upgrade to the earliest patched version compatible with their release branch: use 42.0.0-alpha.5 or later for the v42 alpha series, 41.1.0 or later for the v41 stable branch, 40.8.5 or later for the v40 stable branch, or 39.8.5 or later for the v39 stable branch. As an interim workaround for applications that cannot immediately upgrade, ensure that texture.release() is called as soon as the texture has been consumed by the rendering pipeline, before the texture object is eligible for garbage collection. This prevents the callback from outliving the underlying native resource. For details, consult the official GitHub advisory at https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-64mp.

Share

CVE-2026-34764 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy