Update dependency electron to v41.1.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
electron	41.0.4 → 41.1.0

GitHub Vulnerability Alerts

CVE-2026-34764

Impact

Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected.

Workarounds

Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable.

Fixed Versions

• 42.0.0-alpha.5
• 41.1.0
• 40.8.5
• 39.8.5

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

---

Electron: Use-after-free in offscreen shared texture release() callback

CVE-2026-34764 / GHSA-8x5q-pvf5-64mp

More information

Details

Impact

Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected.

Workarounds

Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable.

Fixed Versions

• 42.0.0-alpha.5
• 41.1.0
• 40.8.5
• 39.8.5

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

• CVSS Score: 2.3 / 10 (Low)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/electron/electron/security/advisories/GHSA-8x5q-pvf5-64mp
• https://github.com/electron/electron

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

electron/electron (electron)

v41.1.0: electron v41.1.0

Compare Source

Release Notes for v41.1.0

Features

• Added nativeTheme.shouldDifferentiateWithoutColor on macOS. #​50408 ^{(Also in 42)}
• Notes: Added support for the urgency option in Notifications on Windows. #​50382 ^{(Also in 42)}

Fixes

• Fixed a bug where Windows notification icons could fail to save because their temporary filenames contained invalid characters. #​50483 ^{(Also in 40)}
• Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #​50492 ^{(Also in 39, 40, 42)}
• Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #​50501 ^{(Also in 39, 40, 42)}
• Fixed an accessibility issue where the AXMenuOpened event was not fired on menu creation. #​50506 ^{(Also in 40, 42)}
• Fixed an issue where an app shortcut may lose its icon after auto-updating on Windows. #​50519 ^{(Also in 40)}

Other Changes

• Updated Chromium to 146.0.7680.166. #​50458

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.