CVE-2026-40943

Name of the Vulnerable Software and Affected Versions Oxia versions prior to 0.16.2

Description A race condition exists between session heartbeat processing and session closure. The heartbeat() method utilizes a blocking channel send while holding a mutex. Under specific timing with concurrent close() calls, this can result in a deadlock if the channel buffer is full, or a server panic due to a send on a closed channel following a Time-of-Check to Time-of-Use (TOCTOU) gap in KeepAlive. TOCTOU is a software bug where a system checks the state of a resource before using it, but the state changes between the check and the use.

Recommendations Update to version 0.16.2.