Race Condition Vulnerability in Oxia Metadata Store and Coordination System
CVE-2026-40943

8.7HIGH

Key Information:

Vendor: Oxia-db
Status: Oxia
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-40943?

Oxia, a metadata store and coordination system, is impacted by a race condition that may lead to server instability. This issue arises from a timing conflict between session heartbeat processing and session closure. Specifically, the heartbeat() method employs a blocking channel send while a mutex is held, which can result in either a deadlock if the channel buffer is full or a server panic due to attempting to send over a closed channel. This vulnerability has been addressed in version 0.16.2.

Affected Version(s)

oxia < 0.16.2

References

https://github.com/oxia-db/oxia/security/advisories/GHSA-...

x_refsource_CONFIRM

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 15, 2026

CVE-2026-40943 Data

JSON

Oxia-db

What is CVE-2026-40943?

Affected Version(s)

References

CVSS V4

Timeline