CVE-2026-40943
Received Received - Intake
Race Condition in Oxia Causes Server Panic and Deadlock

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40943
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oxia metadata_store to 0.16.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Oxia, a metadata store and coordination system, in versions prior to 0.16.2. It is caused by a race condition between session heartbeat processing and session closure. Specifically, the heartbeat() method performs a blocking channel send while holding a mutex. When this operation coincides with concurrent close() calls, it can lead to either a deadlock if the channel buffer is full or a panic due to sending on a closed channel after a time-of-check-to-time-of-use (TOCTOU) gap in the KeepAlive mechanism.

This issue is fixed in version 0.16.2.

Impact Analysis

The vulnerability can cause the Oxia server to panic or deadlock during session management operations. This can lead to service interruptions or crashes, potentially affecting the availability and reliability of systems relying on Oxia for metadata storage and coordination.

Mitigation Strategies

The vulnerability is fixed in Oxia version 0.16.2. Immediate mitigation involves upgrading the Oxia metadata store and coordination system to version 0.16.2 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40943. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart