Description
Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.
Published: 2026-04-21
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Server Crash (Denial of Service)
Action: Apply Patch
AI Analysis

Impact

A race condition in Oxia’s session heartbeat processing can trigger a panic when a heartbeat attempt sends on a closed channel. The flaw arises after a time‑of‑check to time‑of‑use gap in the KeepAlive logic, leading to either a deadlock or an outright panic. The resulting crash causes the metadata store and coordination system to become unavailable, effectively denying service to all clients. The vulnerability stems from improper synchronization of shared resources, identified as a classic race condition weakness (CWE‑362).

Affected Systems

The vulnerability affects the Oxia metadata store and coordination system for all versions before 0.16.2. Updating to version 0.16.2 or later resolves the issue.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity impact. Although the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the attack path requires an attacker to cause concurrent heartbeat and session closure activity. Based on the description, the likely attack vector involves an attacker or a compromised client that can generate traffic to trigger the race condition, but exploitation details are not fully disclosed. The overall risk remains significant due to the potential for a server crash that would disrupt services.

Generated by OpenCVE AI on April 22, 2026 at 07:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oxia to version 0.16.2 or later.
  • Limit access to the Oxia service to trusted clients and consider implementing authentication or rate limiting to reduce potential traffic that could trigger the race condition.
  • Configure a process supervisor or watchdog to automatically restart the Oxia server if it crashes, and enable log monitoring for panic events to alert administrators promptly.

Generated by OpenCVE AI on April 22, 2026 at 07:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Oxia-db
Oxia-db oxia
Vendors & Products Oxia-db
Oxia-db oxia

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.
Title Oxia: Server crash via race condition in session heartbeat handling
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Oxia-db Oxia
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:55:27.811Z

Reserved: 2026-04-15T20:40:15.519Z

Link: CVE-2026-40943

cve-icon Vulnrichment

Updated: 2026-04-22T13:55:17.103Z

cve-icon NVD

Status : Received

Published: 2026-04-21T22:16:19.847

Modified: 2026-04-21T22:16:19.847

Link: CVE-2026-40943

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:00Z

Weaknesses