CVE-2026-40943

Vulnerability Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.

Vulnerability Details

Published Date

April 21, 2026

Last Modified

April 22, 2026

CWE ID

CWE-362

Source

NVD

Vendor

oxia-db

Product

oxia

External References

https://github.com/oxia-db/oxia/security/advisories/GHSA-5gqc-qhrj-9xw8

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment