Oxia: Server crash via race condition in session heartbeat handling

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.

AI Analysis

Server crash via race condition in session heartbeat handling

Basic Information

ID CVE-2026-40943

Source GitHub_M

Published Apr 21, 2026 at 21:13

Affected Product

Vendor oxia-db

Product oxia

Version < 0.16.2

Affected Versions oxia-db oxia < 0.16.2

CWE Classification

CWE-362

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor oxia-db

Product Oxia

Version < 0.16.2

References

github.com /oxia-db/oxia/security/advisories/GHSA-5gqc-qhrj-9xw8

{
    "lastseen": "",
    "description": "Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.",
    "published": "2026-04-21T21:13:31.675Z",
    "modified": "2026-04-21T21:13:31.675Z",
    "type": "cve",
    "title": "Oxia: Server crash via race condition in session heartbeat handling",
    "source": "GitHub_M",
    "references": "https://github.com/oxia-db/oxia/security/advisories/GHSA-5gqc-qhrj-9xw8",
    "id": "CVE-2026-40943",
    "bulletinFamily": "",
    "cwe": [
        "CWE-362"
    ],
    "cvelist": null,
    "sourceData": "oxia-db oxia < 0.16.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "oxia",
    "version": "< 0.16.2",
    "vendor": "oxia-db",
    "ai_description": "Server crash via race condition in session heartbeat handling",
    "ai_severity": "High",
    "ai_vendor": "oxia-db",
    "ai_product": "Oxia",
    "ai_version": "< 0.16.2",
    "ai_score": 8.7
}

Oxia: Server crash via race condition in session heartbeat handling_CVE-2026-40943