CVE-2026-40943
Oxia: Server crash via race condition in session heartbeat handling
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.
| CWE | CWE-362 |
| Vendor | oxia-db |
| Product | oxia |
| Published | Apr 21, 2026 |
Stay Ahead of the Next One
Get instant alerts for oxia-db oxia
Be the first to know when new unknown vulnerabilities affecting oxia-db oxia are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
oxia-db / oxia
< 0.16.2