PT-2026-56069 · Coder · Coder
Published
2026-07-06
·
Updated
2026-07-08
·
CVE-2026-55079
CVSS v3.1
4.9
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
coder versions prior to 2.34.2
coder versions prior to 2.33.8
coder versions prior to 2.32.7
coder versions prior to 2.29.17
Description
An authenticated user can trigger a denial of service by sending a small message with an excessively large
FileSize value to the provisioner daemon serve endpoint. The NewDataBuilder function in provisionersdk/proto/dataupload.go allocates a byte slice based on the FileSize variable from a DataUpload message without performing an upper-bound check. This can lead to an unrecoverable Go out-of-memory abort that terminates the coderd process, affecting the entire deployment.Recommendations
Update to version 2.34.2 or later.
Update to version 2.33.8 or later.
Update to version 2.32.7 or later.
Update to version 2.29.17 or later.
Restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Coder