CVE-2026-40944

Vulnerability Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for mTLS. This vulnerability is fixed in 0.16.2.

Related Weaknesses (CWE)

CWE-295

References

https://github.com/oxia-db/oxia/security/advisories/GHSA-7jrq-q4pq-rhm6

FAQ

What is CVE-2026-40944?

CVE-2026-40944 is a documented vulnerability. Oxia is a metadata store and coordination system. Prior to 0.16.2, the trustedCertPool() function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle c...

How severe is CVE-2026-40944?

CVSS scoring is not yet available for CVE-2026-40944. Check NVD for updates.

Is there a patch for CVE-2026-40944?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.