CVE-2026-34764

Name of the Vulnerable Software and Affected Versions Electron versions 33.0.0-alpha.1 through 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5

Description Electron applications utilizing offscreen rendering with GPU shared textures may experience a use-after-free condition. Specifically, the release() callback associated with a paint event texture can outlive its native state, potentially leading to memory corruption or a crash when invoked. Applications are only affected if they employ offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. The texture.release() function is central to this issue.

Recommendations Versions prior to 39.8.5: Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable. Versions prior to 40.8.5: Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable. Versions prior to 41.1.0: Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable. Versions prior to 42.0.0-alpha.5: Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable.