Platform
go
Component
oxia-db
Fixed in
0.16.3
0.16.2
CVE-2026-40944 is a security vulnerability affecting Oxia versions prior to 0.16.2. The vulnerability lies in the trustedCertPool() function's handling of CA certificate files, which only parses the first PEM block. This leads to a failure in certificate chain validation when using mutual TLS (mTLS) with multi-certificate CA bundles, effectively rendering mTLS unusable with standard certificate chains.
The primary impact of CVE-2026-40944 is the disruption of mTLS functionality in deployments utilizing certificate chains. When a CA bundle contains multiple certificates, such as an intermediate CA certificate chained with a root CA certificate, only the first certificate is loaded by Oxia. Consequently, legitimate clients presenting properly chained certificates will be rejected with an 'x509: certificate signed by unknown authority' error. This effectively disables mTLS, potentially exposing sensitive data and services to unauthorized access. The blast radius is limited to deployments relying on mTLS with Oxia, but the impact within those deployments can be significant.
CVE-2026-40944 was publicly disclosed on 2026-04-21. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it relatively straightforward to exploit in environments where mTLS is deployed with Oxia.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The definitive mitigation for CVE-2026-40944 is to upgrade Oxia to version 0.16.2 or later, which resolves the certificate parsing issue. If an immediate upgrade is not feasible, consider implementing a workaround by ensuring that CA certificate files contain only the root CA certificate, eliminating the need for intermediate certificates. While this reduces the complexity of the certificate chain, it may also impact compatibility with certain clients. Monitor Oxia logs for 'x509: certificate signed by unknown authority' errors to identify potentially affected clients. After upgrading, confirm proper certificate chain validation by connecting a client using a standard, chained certificate and verifying successful mTLS handshake.
Actualice a la versión 0.16.2 o superior para corregir la validación de la cadena de certificados TLS. Esta actualización asegura que todos los certificados en el bundle PEM se carguen correctamente, evitando fallos en la validación de mTLS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40944 is a vulnerability in Oxia versions 0.0.0 - < 0.16.2 where only the first certificate in a CA bundle is parsed, breaking mTLS certificate chain validation.
You are affected if you are using Oxia versions 0.0.0 - < 0.16.2 and rely on mTLS with CA certificate bundles containing multiple certificates.
Upgrade Oxia to version 0.16.2 or later. As a temporary workaround, ensure your CA certificate files contain only the root CA certificate.
There is currently no evidence of active exploitation of CVE-2026-40944.
Refer to the Oxia project's official release notes and security advisories for details on CVE-2026-40944.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.