Skip to main content

Coder CVE-2026-55079

MEDIUM
Memory Allocation with Excessive Size Value (CWE-789)
2026-07-06 https://github.com/coder/coder GHSA-f962-qm93-mj4c
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (https://github.com/coder/coder) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.9 MEDIUM

Network-reachable but exploitation requires high-privilege provisioner daemon credentials; impact is pure availability with no confidentiality or integrity consequence.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/coder/coder).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
CVSS changed
Jul 08, 2026 - 19:52 NVD
4.9 (MEDIUM) 6.5 (MEDIUM)
CVSS changed
Jul 08, 2026 - 19:52 NVD
4.9 (MEDIUM) 6.5 (MEDIUM)
Analysis Generated
Jul 06, 2026 - 22:17 vuln.today

DescriptionNVD

Summary

NewDataBuilder in provisionersdk/proto/dataupload.go allocated a byte slice using the client-supplied FileSize from a DataUpload message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the FileSize value itself was unconstrained

Impact

An authenticated user able to reach the provisioner daemon serve endpoint could send a roughly 50-byte message declaring a huge FileSize (for example 1 TiB), triggering an unrecoverable Go out-of-memory abort that terminates coderd. This is a single-message denial of service affecting the entire deployment.

Patches

The fix validates FileSize against an upper bound (MaxFileSize = 100 MiB) before allocation.

The fix was backported to all supported release lines:

Release linePatched version
2.34v2.34.2
2.33v2.33.8
2.32v2.32.7
2.29 (ESR)v2.29.17

Workarounds

Restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.

Resources

  • Fix: #25710

Credits

Coder would like to thank Anthropic's Security Team (ANT-2026-22442) for independently disclosing this issue!

AnalysisAI

Uncontrolled memory allocation in Coder's provisioner daemon allows an authenticated user to crash the entire coderd deployment with a single ~50-byte network message. The vulnerability exists in the NewDataBuilder function within provisionersdk/proto/dataupload.go, which blindly allocates a byte slice using a client-supplied FileSize field from a DataUpload DRPC message, with no upper-bound validation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain provisioner daemon credentials
Delivery
Connect to coderd provisioner daemon DRPC endpoint
Exploit
Send crafted DataUpload message with oversized FileSize
Execution
NewDataBuilder allocates declared size without bounds check
Persist
Go runtime exhausts memory
Impact
coderd process OOM-aborts, full deployment denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session to the provisioner daemon serve endpoint, confirmed by the CVSS vector PR:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) accurately reflects the primary risk-limiting factor: exploitation requires High privileges, meaning an attacker must possess valid credentials for the provisioner daemon serve endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding valid provisioner daemon service account credentials - or an insider with such access - constructs a minimal (~50-byte) DataUpload DRPC message in which the FileSize field is set to an extremely large value such as 1,099,511,627,776 bytes (1 TiB). When coderd receives and processes this message, NewDataBuilder passes the attacker-controlled FileSize directly to Go's runtime memory allocator; the allocator attempts to satisfy the request, exhausts available memory, and triggers an unrecoverable Go OOM abort that immediately terminates the coderd process and denies service to every user of the deployment until the process is manually restarted. …
Remediation Upgrade to a patched release: v2.34.2 for the 2.34 release line, v2.33.8 for the 2.33 line, v2.32.7 for the 2.32 line, or v2.29.17 for the 2.29 ESR line. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-55079 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy