CVE-2026-40943: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in oxia-db oxia
CVE-2026-40943 is a race condition vulnerability in oxia, a metadata store and coordination system, affecting versions prior to 0. 16. 2. The issue arises from improper synchronization between session heartbeat processing and session closure, causing the server to panic due to sending on a closed channel or deadlock scenarios. This is triggered by the heartbeat() method using a blocking channel send while holding a mutex, which under certain timing conditions with concurrent close() calls leads to a time-of-check to time-of-use (TOCTOU) gap. The vulnerability has a high severity score of 8. 7. A fix is available in version 0. 16. 2.
AI Analysis
Technical Summary
Oxia versions before 0.16.2 suffer from a race condition (CWE-362) involving concurrent execution using a shared resource with improper synchronization. Specifically, the heartbeat() method sends on a blocking channel while holding a mutex. If a close() call happens concurrently, this can cause either a deadlock due to a full channel buffer or a panic caused by sending on a closed channel after a TOCTOU gap in KeepAlive logic. This vulnerability can cause server crashes and denial of service. The issue is resolved in oxia version 0.16.2.
Potential Impact
The vulnerability can cause the oxia server to panic and crash due to improper synchronization between heartbeat processing and session closure. This results in denial of service conditions. There is no indication of privilege escalation, data corruption, or remote code execution. No known exploits have been reported in the wild.
Mitigation Recommendations
Upgrade oxia to version 0.16.2 or later, where this race condition vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 0.16.2, applying this official fix is the recommended remediation. No additional mitigation steps are specified or required.
CVE-2026-40943: CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') in oxia-db oxia
Description
CVE-2026-40943 is a race condition vulnerability in oxia, a metadata store and coordination system, affecting versions prior to 0. 16. 2. The issue arises from improper synchronization between session heartbeat processing and session closure, causing the server to panic due to sending on a closed channel or deadlock scenarios. This is triggered by the heartbeat() method using a blocking channel send while holding a mutex, which under certain timing conditions with concurrent close() calls leads to a time-of-check to time-of-use (TOCTOU) gap. The vulnerability has a high severity score of 8. 7. A fix is available in version 0. 16. 2.
CVSS v4.0
Score 8.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Oxia versions before 0.16.2 suffer from a race condition (CWE-362) involving concurrent execution using a shared resource with improper synchronization. Specifically, the heartbeat() method sends on a blocking channel while holding a mutex. If a close() call happens concurrently, this can cause either a deadlock due to a full channel buffer or a panic caused by sending on a closed channel after a TOCTOU gap in KeepAlive logic. This vulnerability can cause server crashes and denial of service. The issue is resolved in oxia version 0.16.2.
Potential Impact
The vulnerability can cause the oxia server to panic and crash due to improper synchronization between heartbeat processing and session closure. This results in denial of service conditions. There is no indication of privilege escalation, data corruption, or remote code execution. No known exploits have been reported in the wild.
Mitigation Recommendations
Upgrade oxia to version 0.16.2 or later, where this race condition vulnerability is fixed. Since the vendor advisory indicates the issue is resolved in 0.16.2, applying this official fix is the recommended remediation. No additional mitigation steps are specified or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-15T20:40:15.519Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e7e91619fe3cd2cdfaec56
Added to database: 4/21/2026, 9:16:06 PM
Last enriched: 4/29/2026, 11:38:17 AM
Last updated: 6/5/2026, 5:36:13 AM
Views: 88
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.