PT-2026-56069 · Coder · Coder

Published

2026-07-06

·

Updated

2026-07-08

·

CVE-2026-55079

CVSS v3.1

4.9

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
Name of the Vulnerable Software and Affected Versions coder versions prior to 2.34.2 coder versions prior to 2.33.8 coder versions prior to 2.32.7 coder versions prior to 2.29.17
Description An authenticated user can trigger a denial of service by sending a small message with an excessively large FileSize value to the provisioner daemon serve endpoint. The NewDataBuilder function in provisionersdk/proto/dataupload.go allocates a byte slice based on the FileSize variable from a DataUpload message without performing an upper-bound check. This can lead to an unrecoverable Go out-of-memory abort that terminates the coderd process, affecting the entire deployment.
Recommendations Update to version 2.34.2 or later. Update to version 2.33.8 or later. Update to version 2.32.7 or later. Update to version 2.29.17 or later. Restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55079
GHSA-F962-QM93-MJ4C
GO-2026-5911

Affected Products

Coder