{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40943", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-15T20:40:15.519Z", "datePublished": "2026-04-21T21:13:31.675Z", "dateUpdated": "2026-04-21T21:13:31.675Z"}, "containers": {"cna": {"title": "Oxia: Server crash via race condition in session heartbeat handling", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/oxia-db/oxia/security/advisories/GHSA-5gqc-qhrj-9xw8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/oxia-db/oxia/security/advisories/GHSA-5gqc-qhrj-9xw8"}], "affected": [{"vendor": "oxia-db", "product": "oxia", "versions": [{"version": "< 0.16.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T21:13:31.675Z"}, "descriptions": [{"lang": "en", "value": "Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2."}], "source": {"advisory": "GHSA-5gqc-qhrj-9xw8", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2."}], "id": "CVE-2026-40943", "lastModified": "2026-04-21T22:16:19.847", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T22:16:19.847", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/oxia-db/oxia/security/advisories/GHSA-5gqc-qhrj-9xw8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T07:07:58.380787+00:00", "value": {"mitigation_remediation": ["Upgrade Oxia to version 0.16.2 or later.", "Limit access to the Oxia service to trusted clients and consider implementing authentication or rate limiting to reduce potential traffic that could trigger the race condition.", "Configure a process supervisor or watchdog to automatically restart the Oxia server if it crashes, and enable log monitoring for panic events to alert administrators promptly."], "summary": {"action": "Apply Patch", "impact": "Server Crash (Denial of Service)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Oxia metadata store and coordination system for all versions before 0.16.2. Updating to version 0.16.2 or later resolves the issue.", "description_and_impact": "A race condition in Oxia\u2019s session heartbeat processing can trigger a panic when a heartbeat attempt sends on a closed channel. The flaw arises after a time\u2011of\u2011check to time\u2011of\u2011use gap in the KeepAlive logic, leading to either a deadlock or an outright panic. The resulting crash causes the metadata store and coordination system to become unavailable, effectively denying service to all clients. The vulnerability stems from improper synchronization of shared resources, identified as a classic race condition weakness (CWE\u2011362).", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity impact. Although the EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog, the attack path requires an attacker to cause concurrent heartbeat and session closure activity. Based on the description, the likely attack vector involves an attacker or a compromised client that can generate traffic to trigger the race condition, but exploitation details are not fully disclosed. The overall risk remains significant due to the potential for a server crash that would disrupt services."}}}}, "created": "2026-04-22T07:15:11.668507+00:00", "updated": "2026-04-22T07:15:11.668518+00:00", "vendors": []}