GHSA-f962-qm93-mj4c: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service
A vulnerability in github.com/coder/coder/v2 allows an authenticated user to cause a denial of service by sending a DataUpload message with an unbounded FileSize value. The provisioner daemon allocates memory based on this client-supplied FileSize without an upper bound, potentially triggering an out-of-memory abort and terminating the coderd process. The issue is fixed by validating FileSize against a 100 MiB maximum. Patched versions are available across multiple release lines.
AI Analysis
Technical Summary
The NewDataBuilder function in provisionersdk/proto/dataupload.go of github.com/coder/coder/v2 allocates a byte slice using the client-supplied FileSize from a DataUpload message without enforcing an upper bound. Although the DRPC wire protocol limits message size to 4 MiB, the FileSize field itself was unconstrained, allowing an authenticated user to specify an excessively large value (e.g., 1 TiB). This causes the provisioner daemon to allocate excessive memory, leading to an unrecoverable out-of-memory abort that terminates the coderd process, resulting in a denial of service for the entire deployment. The vulnerability is tracked as CVE-2026-55079 and CWE-789 (Uncontrolled Memory Allocation). Fixes validate FileSize against a 100 MiB maximum and have been backported to supported release lines including 2.34.2, 2.33.8, 2.32.7, and 2.29.17. Workarounds include restricting access to the provisioner daemon serve endpoint to trusted service accounts.
Potential Impact
An authenticated user with access to the provisioner daemon serve endpoint can send a specially crafted DataUpload message with a large FileSize value, causing the provisioner daemon to allocate excessive memory. This triggers an out-of-memory abort in the Go runtime, terminating the coderd process and causing a denial of service affecting the entire deployment. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
A fix is available and has been backported to all supported release lines: 2.34.2, 2.33.8, 2.32.7, and 2.29.17. Users should upgrade to these patched versions to remediate the vulnerability. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts to prevent unauthorized exploitation.
GHSA-f962-qm93-mj4c: Coder's unbounded memory allocation in provisioner file upload allows authenticated denial of service
Description
A vulnerability in github.com/coder/coder/v2 allows an authenticated user to cause a denial of service by sending a DataUpload message with an unbounded FileSize value. The provisioner daemon allocates memory based on this client-supplied FileSize without an upper bound, potentially triggering an out-of-memory abort and terminating the coderd process. The issue is fixed by validating FileSize against a 100 MiB maximum. Patched versions are available across multiple release lines.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The NewDataBuilder function in provisionersdk/proto/dataupload.go of github.com/coder/coder/v2 allocates a byte slice using the client-supplied FileSize from a DataUpload message without enforcing an upper bound. Although the DRPC wire protocol limits message size to 4 MiB, the FileSize field itself was unconstrained, allowing an authenticated user to specify an excessively large value (e.g., 1 TiB). This causes the provisioner daemon to allocate excessive memory, leading to an unrecoverable out-of-memory abort that terminates the coderd process, resulting in a denial of service for the entire deployment. The vulnerability is tracked as CVE-2026-55079 and CWE-789 (Uncontrolled Memory Allocation). Fixes validate FileSize against a 100 MiB maximum and have been backported to supported release lines including 2.34.2, 2.33.8, 2.32.7, and 2.29.17. Workarounds include restricting access to the provisioner daemon serve endpoint to trusted service accounts.
Potential Impact
An authenticated user with access to the provisioner daemon serve endpoint can send a specially crafted DataUpload message with a large FileSize value, causing the provisioner daemon to allocate excessive memory. This triggers an out-of-memory abort in the Go runtime, terminating the coderd process and causing a denial of service affecting the entire deployment. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
A fix is available and has been backported to all supported release lines: 2.34.2, 2.33.8, 2.32.7, and 2.29.17. Users should upgrade to these patched versions to remediate the vulnerability. As a workaround, restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts to prevent unauthorized exploitation.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-f962-qm93-mj4c
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-55079"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 3.1
Threat ID: 6a4c340327e9c797195f5f5c
Added to database: 07/06/2026, 23:02:27 UTC
Last enriched: 07/06/2026, 23:13:08 UTC
Last updated: 07/06/2026, 23:13:08 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.