CVE-2026-55079

GHSA-f962-qm93-mj4c MEDIUM
Published July 6, 2026

### Summary `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained ### Impact An...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Anthropic Python go >= 2.34.0, < 2.34.2 2.34.2
3.7K 5.4K dependents Pushed 4d ago 95% patched ~3d to patch Full package profile →

Do you use Anthropic Python? You're affected.

How severe is it?

CVSS 3.1
4.9 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR High
UI None
S Unchanged
C None
I None
A High

What should I do?

Patch available

Update Anthropic Python to version 2.34.2

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-55079?

### Summary `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained ### Impact An authenticated user able to reach the provisioner daemon serve endpoint could send a roughly 50-byte message declaring a huge `FileSize` (for example 1 TiB), triggering an unrecoverable Go out-of-memory abort that terminates `coderd`. This is a single-message denial of service affecting the entire deployment. ### Patches The fix validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) | | 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) | | 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) | | 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) | ### Workarounds Restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts. ### Resources - Fix: #25710 ### Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22442) for independently disclosing this issue!

Is CVE-2026-55079 actively exploited?

No confirmed active exploitation of CVE-2026-55079 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-55079?

Update to patched version: Anthropic Python 2.34.2.

What is the CVSS score for CVE-2026-55079?

CVE-2026-55079 has a CVSS v3.1 base score of 4.9 (MEDIUM).

What are the technical details?

Original Advisory

### Summary `NewDataBuilder` in `provisionersdk/proto/dataupload.go` allocated a byte slice using the client-supplied `FileSize` from a `DataUpload` message without an upper-bound check. Although the DRPC wire limit is 4 MiB, the `FileSize` value itself was unconstrained ### Impact An authenticated user able to reach the provisioner daemon serve endpoint could send a roughly 50-byte message declaring a huge `FileSize` (for example 1 TiB), triggering an unrecoverable Go out-of-memory abort that terminates `coderd`. This is a single-message denial of service affecting the entire deployment. ### Patches The fix validates `FileSize` against an upper bound (`MaxFileSize = 100 MiB`) before allocation. The fix was backported to all supported release lines: | Release line | Patched version | |---|---| | 2.34 | [v2.34.2](https://github.com/coder/coder/releases/tag/v2.34.2) | | 2.33 | [v2.33.8](https://github.com/coder/coder/releases/tag/v2.33.8) | | 2.32 | [v2.32.7](https://github.com/coder/coder/releases/tag/v2.32.7) | | 2.29 (ESR) | [v2.29.17](https://github.com/coder/coder/releases/tag/v2.29.17) | ### Workarounds Restrict access to the provisioner daemon serve endpoint to trusted provisioner daemon service accounts. ### Resources - Fix: #25710 ### Credits Coder would like to thank Anthropic's Security Team (ANT-2026-22442) for independently disclosing this issue!

Weaknesses (CWE)

CWE-789 — Memory Allocation with Excessive Size Value: The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.

  • [Implementation, Architecture and Design] Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
  • [Operation] Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Timeline

Published
July 6, 2026
Last Modified
July 6, 2026
First Seen
July 7, 2026

Related Vulnerabilities