CVE-2026-40943— Oxia: Server crash via race condition in session heartbeat handling

Oxia: Server crash via race condition in session heartbeat handling

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.

N/A

使用共享资源的并发执行不恰当同步问题(竞争条件)

oxia 竞争条件问题漏洞

oxia是Oxia开源的一个分布式元数据存储与协调系统。 Oxia 0.16.2之前版本存在竞争条件问题漏洞，该漏洞源于会话心跳处理和会话关闭之间存在竞争条件，可能导致服务器因在已关闭通道上发送而崩溃。

N/A

N/A