Skip to content

Update dependency electron to v41.1.0 [SECURITY]#126

Merged
renovate[bot] merged 1 commit intomainfrom
renovate/npm-electron-vulnerability
Apr 4, 2026
Merged

Update dependency electron to v41.1.0 [SECURITY]#126
renovate[bot] merged 1 commit intomainfrom
renovate/npm-electron-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 3, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
electron 41.0.441.1.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-34764

Impact

Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected.

Workarounds

Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable.

Fixed Versions

  • 42.0.0-alpha.5
  • 41.1.0
  • 40.8.5
  • 39.8.5

For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Electron: Use-after-free in offscreen shared texture release() callback

CVE-2026-34764 / GHSA-8x5q-pvf5-64mp

More information

Details

Impact

Apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption.

Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected.

Workarounds

Ensure texture.release() is called promptly after the texture has been consumed, before the texture object becomes unreachable.

Fixed Versions
  • 42.0.0-alpha.5
  • 41.1.0
  • 40.8.5
  • 39.8.5
For more information

If there are any questions or comments about this advisory, send an email to security@electronjs.org

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

electron/electron (electron)

v41.1.0: electron v41.1.0

Compare Source

Release Notes for v41.1.0

Features

  • Added nativeTheme.shouldDifferentiateWithoutColor on macOS. #​50408 (Also in 42)
  • Notes: Added support for the urgency option in Notifications on Windows. #​50382 (Also in 42)

Fixes

  • Fixed a bug where Windows notification icons could fail to save because their temporary filenames contained invalid characters. #​50483 (Also in 40)
  • Fixed a crash in clipboard.readImage() when the clipboard contains malformed image data. #​50492 (Also in 39, 40, 42)
  • Fixed a crash when calling an offscreen shared texture's release() after the texture object was garbage collected. #​50501 (Also in 39, 40, 42)
  • Fixed an accessibility issue where the AXMenuOpened event was not fired on menu creation. #​50506 (Also in 40, 42)
  • Fixed an issue where an app shortcut may lose its icon after auto-updating on Windows. #​50519 (Also in 40)

Other Changes

  • Updated Chromium to 146.0.7680.166. #​50458

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the enhancement You want to improve something label Apr 3, 2026
@renovate renovate bot requested a review from paulzakin as a code owner April 3, 2026 21:56
@renovate renovate bot merged commit 8d27f26 into main Apr 4, 2026
1 check passed
@renovate renovate bot deleted the renovate/npm-electron-vulnerability branch April 4, 2026 01:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

@paulzakin paulzakin Awaiting requested review from paulzakin paulzakin is a code owner

Assignees

No one assigned

Labels

enhancement You want to improve something

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants