Vulnerability Description
Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2026-40943?
CVE-2026-40943 is a documented vulnerability. Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. ...
How severe is CVE-2026-40943?
CVSS scoring is not yet available for CVE-2026-40943. Check NVD for updates.
Is there a patch for CVE-2026-40943?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.