CVE-2026-40943: Oxia affected by server crash via race condition in session heartbeat handling

April 14, 2026 (updated April 24, 2026)

A race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive).

References

github.com/advisories/GHSA-5gqc-qhrj-9xw8
github.com/oxia-db/oxia
github.com/oxia-db/oxia/security/advisories/GHSA-5gqc-qhrj-9xw8
nvd.nist.gov/vuln/detail/CVE-2026-40943

Code Behaviors & Features

Detect and mitigate CVE-2026-40943 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →