CVE-2026-55079
Received Received - Intake

Memory Allocation Flaw in Coder Provisioner SDK

Vulnerability report for CVE-2026-55079, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 10 associated CPEs
Vendor Product Version / Range
coder coder From 2.24.0 (inc) to 2.29.7 (exc)
coder coder 2.29.7
coder coder 2.32.7
coder coder 2.33.8
coder coder 2.34.2
coder coder 2.29.17
coder coder From 2.34.0 (inc) to 2.34.2 (exc)
coder coder From 2.33.0 (inc) to 2.33.8 (exc)
coder coder From 2.30.0 (inc) to 2.32.7 (exc)
coder coder From 2.24.0 (inc) to 2.29.17 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The primary mitigation is to upgrade Coder to a fixed version that includes the patch validating the FileSize parameter before allocation. Fixed versions include 2.29.17, 2.32.7, 2.33.8, and 2.34.2.

As a workaround before upgrading, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts only, preventing untrusted users from sending malicious DataUpload messages.

Users are strongly advised to upgrade to the latest patched versions to fully mitigate the risk.

Executive Summary

CVE-2026-55079 is a vulnerability in Coder's remote development environment provisioning via Terraform. The issue occurs in the function NewDataBuilder within provisionersdk/proto/dataupload.go, where a byte slice is allocated based on a client-supplied FileSize value without an upper-bound check.

Although the DRPC wire protocol limits messages to 4 MiB, the FileSize value itself was not constrained, allowing an attacker to specify an extremely large FileSize (e.g., 1 TiB). This causes the system to attempt to allocate an enormous amount of memory, leading to an unrecoverable out-of-memory error that crashes the coderd service.

The vulnerability affects versions starting from 2.24.0 up to versions before 2.29.17, 2.32.7, 2.33.8, and 2.34.2, where the issue was fixed by validating FileSize against a maximum limit of 100 MiB before allocation.

A workaround is to restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.

Impact Analysis

This vulnerability can be exploited to cause a denial-of-service (DoS) condition by crashing the coderd service through an out-of-memory error.

An attacker can send a small message with a maliciously large FileSize value, forcing the system to allocate excessive memory (up to 1 TiB), which leads to an unrecoverable runtime error and termination of the coderd process.

This results in a single-message denial of service that affects the entire deployment, potentially disrupting development workflows and availability of remote development environments.

Detection Guidance

This vulnerability involves an unbounded memory allocation triggered by a maliciously crafted DataUpload message with an excessively large FileSize value. Detection would involve monitoring the provisioner daemon service for abnormal memory usage or crashes of the coderd process.

Since the vulnerability is triggered by a specific RPC message to the provisioner daemon, network detection could focus on identifying unusually large or malformed DataUpload messages sent to the provisioner daemon serve endpoint.

No specific commands are provided in the available resources to detect this vulnerability directly. However, general approaches could include:

  • Monitoring logs of the provisioner daemon for out-of-memory errors or service crashes.
  • Using network packet capture tools (e.g., tcpdump, Wireshark) to inspect traffic to the provisioner daemon endpoint for suspiciously small messages claiming very large FileSize values.
  • Checking the version of Coder deployed to ensure it is not within the vulnerable version ranges.
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-55079 on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55079. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart