CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-f962-qm93-mj4c: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service

mediumCVSS 4.9CVE-2026-55079
Summary NewDataBuilder in provisionersdk/proto/dataupload.go allocated a byte slice using the client-supplied FileSize from a DataUpload message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the FileSize value itself was unconstrained Impact An authenticated user able to reach the provisioner daemon serve endpoint could send a roughly 50-byte message declaring a huge FileSize (for example 1 TiB), triggering an unrecoverable Go out-of-memory abort that terminates coderd. This is a single-message denial of service affecting the entire deployment. Patches The fix validates FileSize against an upper bound (MaxFileSize = 100 MiB) before allocation. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | v2.34.2 | | 2.33 | v2.33.8 | | 2.32 | v2.32.7 | | 2.29 (ESR) | v2.29.17 | Workarounds Restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts. Resources - Fix: #25710 Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22442) for independently disclosing this issue!

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
medium — CVSS 4.9
Published
2026-07-06
Last updated
2026-07-06
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-f962-qm93-mj4c

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-55079coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from GitHub Security Advisories