Coder CVE-2026-55079
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network-reachable but exploitation requires high-privilege provisioner daemon credentials; impact is pure availability with no confidentiality or integrity consequence.
Primary rating from Vendor (https://github.com/coder/coder).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionNVD
Summary
NewDataBuilder in provisionersdk/proto/dataupload.go allocated a byte slice using the client-supplied FileSize from a DataUpload message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the FileSize value itself was unconstrained
Impact
An authenticated user able to reach the provisioner daemon serve endpoint could send a roughly 50-byte message declaring a huge FileSize (for example 1 TiB), triggering an unrecoverable Go out-of-memory abort that terminates coderd. This is a single-message denial of service affecting the entire deployment.
Patches
The fix validates FileSize against an upper bound (MaxFileSize = 100 MiB) before allocation.
The fix was backported to all supported release lines:
Workarounds
Restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.
Resources
- Fix: #25710
Credits
Coder would like to thank Anthropic's Security Team (ANT-2026-22442) for independently disclosing this issue!
AnalysisAI
Uncontrolled memory allocation in Coder's provisioner daemon allows an authenticated user to crash the entire coderd deployment with a single ~50-byte network message. The vulnerability exists in the NewDataBuilder function within provisionersdk/proto/dataupload.go, which blindly allocates a byte slice using a client-supplied FileSize field from a DataUpload DRPC message, with no upper-bound validation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated session to the provisioner daemon serve endpoint, confirmed by the CVSS vector PR:H. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) accurately reflects the primary risk-limiting factor: exploitation requires High privileges, meaning an attacker must possess valid credentials for the provisioner daemon serve endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding valid provisioner daemon service account credentials - or an insider with such access - constructs a minimal (~50-byte) DataUpload DRPC message in which the FileSize field is set to an extremely large value such as 1,099,511,627,776 bytes (1 TiB). When coderd receives and processes this message, NewDataBuilder passes the attacker-controlled FileSize directly to Go's runtime memory allocator; the allocator attempts to satisfy the request, exhausts available memory, and triggers an unrecoverable Go OOM abort that immediately terminates the coderd process and denies service to every user of the deployment until the process is manually restarted. … |
| Remediation | Upgrade to a patched release: v2.34.2 for the 2.34 release line, v2.33.8 for the 2.33 line, v2.32.7 for the 2.32 line, or v2.29.17 for the 2.29 ESR line. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-f962-qm93-mj4c