High severityNVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-40943

Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/oxia-db/oxiaGo	< 0.16.2	0.16.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-5gqc-qhrj-9xw8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-40943ghsaADVISORY
github.com/oxia-db/oxia/security/advisories/GHSA-5gqc-qhrj-9xw8nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000