CVE-2026-55079

Source
https://cve.org/CVERecord?id=CVE-2026-55079
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55079.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55079
Aliases
Published
2026-07-07T23:50:37.197Z
Modified
2026-07-08T08:13:48.736505666Z
Severity
  • 4.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service
Details

Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.24.0 and prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, NewDataBuilder in provisionersdk/proto/dataupload.go allocated a byte slice using the client-supplied FileSize from a DataUpload message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the FileSize value itself was unconstrained. The fix in versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2 validates FileSize against an upper bound (MaxFileSize = 100 MiB) before allocation. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55079.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-789"
    ]
}
References

Affected packages

Git / github.com/coder/coder

Affected ranges

Type
GIT
Repo
https://github.com/coder/coder
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "2.34.0"
        },
        {
            "fixed": "2.34.2"
        },
        {
            "introduced": "2.33.0"
        },
        {
            "fixed": "2.33.8"
        },
        {
            "introduced": "2.30.0"
        },
        {
            "fixed": "2.32.7"
        },
        {
            "introduced": "2.24.0"
        },
        {
            "fixed": "2.29.17"
        }
    ]
}

Affected versions

v2.*
v2.33.0
v2.33.1
v2.33.2
v2.33.3
v2.33.4
v2.33.5
v2.33.6
v2.33.7
v2.34.0
v2.34.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55079.json"