# CVE-2026-40943

> Vulnerability.

## Description

Oxia is a metadata store and coordination system. Prior to 0.16.2, a race condition between session heartbeat processing and session closure can cause the server to panic with send on closed channel. The heartbeat() method uses a blocking channel send while holding a mutex, and under specific timing with concurrent close() calls, this can lead to either a deadlock (channel buffer full) or a panic (send on closed channel after TOCTOU gap in KeepAlive). This vulnerability is fixed in 0.16.2.

## Key facts

- **CVE ID:** CVE-2026-40943
- **Published:** 2026-04-21
- **CWE codes:** CWE-362

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-40943

## Citation

> AI Analytics. CVE-2026-40943. Retrieved 2026-07-15 from https://api.ai-analytics.org/cve/CVE-2026-40943. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*