Plattform
go
Komponente
oxia-db
Behoben in
0.16.3
0.16.2
CVE-2026-40944 is a security vulnerability affecting Oxia versions prior to 0.16.2. The vulnerability lies in the trustedCertPool() function's handling of CA certificate files, which only parses the first PEM block. This leads to a failure in certificate chain validation when using mutual TLS (mTLS) with multi-certificate CA bundles, effectively rendering mTLS unusable with standard certificate chains.
The primary impact of CVE-2026-40944 is the disruption of mTLS functionality in deployments utilizing certificate chains. When a CA bundle contains multiple certificates, such as an intermediate CA certificate chained with a root CA certificate, only the first certificate is loaded by Oxia. Consequently, legitimate clients presenting properly chained certificates will be rejected with an 'x509: certificate signed by unknown authority' error. This effectively disables mTLS, potentially exposing sensitive data and services to unauthorized access. The blast radius is limited to deployments relying on mTLS with Oxia, but the impact within those deployments can be significant.
CVE-2026-40944 was publicly disclosed on 2026-04-21. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it relatively straightforward to exploit in environments where mTLS is deployed with Oxia.
Organizations deploying Oxia for mTLS authentication, particularly those using CA certificate bundles containing intermediate certificates, are at risk. This includes environments utilizing Oxia as a service gateway or within microservice architectures where mTLS is employed for secure communication between services.
• linux / server:
journalctl -u oxia | grep 'x509: certificate signed by unknown authority'• generic web:
curl -I https://your-oxia-service.com # Check for mTLS errors in the response headersdisclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
The definitive mitigation for CVE-2026-40944 is to upgrade Oxia to version 0.16.2 or later, which resolves the certificate parsing issue. If an immediate upgrade is not feasible, consider implementing a workaround by ensuring that CA certificate files contain only the root CA certificate, eliminating the need for intermediate certificates. While this reduces the complexity of the certificate chain, it may also impact compatibility with certain clients. Monitor Oxia logs for 'x509: certificate signed by unknown authority' errors to identify potentially affected clients. After upgrading, confirm proper certificate chain validation by connecting a client using a standard, chained certificate and verifying successful mTLS handshake.
Actualice a la versión 0.16.2 o superior para corregir la validación de la cadena de certificados TLS. Esta actualización asegura que todos los certificados en el bundle PEM se carguen correctamente, evitando fallos en la validación de mTLS.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40944 is a vulnerability in Oxia versions 0.0.0 - < 0.16.2 where only the first certificate in a CA bundle is parsed, breaking mTLS certificate chain validation.
You are affected if you are using Oxia versions 0.0.0 - < 0.16.2 and rely on mTLS with CA certificate bundles containing multiple certificates.
Upgrade Oxia to version 0.16.2 or later. As a temporary workaround, ensure your CA certificate files contain only the root CA certificate.
There is currently no evidence of active exploitation of CVE-2026-40944.
Refer to the Oxia project's official release notes and security advisories for details on CVE-2026-40944.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine go.mod-Datei hoch und wir sagen dir sofort, ob du betroffen bist.