CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-55079

mediumCVSS 4.9covered by 2 sourcesfirst seen 2026-07-06
Summary NewDataBuilder in provisionersdk/proto/dataupload.go allocated a byte slice using the client-supplied FileSize from a DataUpload message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the FileSize value itself was unconstrained Impact An authenticated user able to reach the provisioner daemon serve endpoint could send a roughly 50-byte message declaring a huge FileSize (for example 1 TiB), triggering an unrecoverable Go out-of-memory abort that terminates coderd. This is a single-message denial of service affecting the entire deployment. Patches The fix validates FileSize against an upper bound (MaxFileSize = 100 MiB) before allocation. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | v2.34.2 | | 2.33 | v2.33.8 | | 2.32 | v2.32.7 | | 2.29 (ESR) | v2.29.17 | Workarounds Restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts. Resources - Fix: #25710 Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22442) for independently disclosing this issue!

⚡ Watch CVE-2026-55079

Get an email if CVE-2026-55079 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-55079

CVE.org record

Embed the live status

CVE-2026-55079 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-55079 status](https://www.csirts.com/badge/CVE-2026-55079)](https://www.csirts.com/cve/CVE-2026-55079)