CVE-2025-62599
Integer Overflow in Fast DDS DATA Submessage Causes Remote OOM
Publication date: 2026-02-03
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eprosima | fast_dds | to 2.6.11 (exc) |
| eprosima | fast_dds | From 3.0.0 (inc) to 3.3.1 (exc) |
| eprosima | fast_dds | 3.4.0 |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 12.0 |
| debian | debian_linux | 13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
| CWE-789 | The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated. |
| CWE-190 | The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62599 is a vulnerability in Fast DDS, a C++ implementation of the DDS standard. When security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher can cause an Out-Of-Memory (OOM) condition, leading to remote termination of Fast DDS.
Specifically, tampering with the length field in the readPropertySeq of the PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN fields in the DATA Submessage causes an integer overflow. This overflow triggers an OOM during a resize operation.
The root cause is unsafe arithmetic and length checks in the deserialization process of CDR messages, which allowed integer overflows and buffer overruns.
The vulnerability was fixed by refactoring the deserialization logic to use 64-bit arithmetic for length and position calculations, adding safe buffer wrapping methods, improving validation logic, and preventing arithmetic overflows during length checks.
How can this vulnerability impact me? :
This vulnerability in Fast DDS can cause an Out-Of-Memory (OOM) condition leading to remote termination of the Fast-DDS process when a malicious actor modifies specific fields in the DATA Submessage of an SPDP packet. Specifically, tampering with the length field in readPropertySeq triggers an integer overflow during a resize operation, resulting in OOM.
The impact is a denial of service (DoS) condition where the affected Fast-DDS instance can be remotely crashed or terminated, potentially disrupting communication or data distribution services relying on Fast DDS.
The vulnerability has a low CVSS score (1.7), indicating limited impact severity, but it still poses a risk of service interruption.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Fast DDS to a fixed version where the vulnerability is patched. Versions 3.4.1, 3.3.1, and 2.6.11 include the fix.
The fix involves a comprehensive refactor of the deserialization logic in the CDRMessage class to prevent integer overflows and buffer overruns during parsing of DDS messages.
If upgrading immediately is not possible, consider disabling or restricting the use of security mode in Fast DDS or filtering incoming DDS/SPDP packets at the network perimeter to block malformed packets.
Monitor Fast DDS instances for crashes or abnormal behavior that could indicate exploitation attempts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a remote Out-Of-Memory (OOM) condition triggered by modifying the DATA Submessage within an SPDP packet sent by a publisher in Fast DDS when security mode is enabled. Detection would involve monitoring network traffic for malformed or tampered SPDP packets, specifically those with manipulated PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN fields in the DATA Submessage.
Since the vulnerability is triggered by crafted DDS messages causing integer overflow and OOM in Fast DDS, detection on the network could involve capturing and analyzing DDS SPDP packets for anomalies in the DATA Submessage fields, especially the length fields in readPropertySeq.
No explicit detection commands or signatures are provided in the available resources. However, general network packet capture tools like tcpdump or Wireshark can be used to capture DDS traffic on the network interface, filtering for SPDP packets (typically multicast UDP on port 7400). Example command to capture such packets:
- tcpdump -i <interface> udp port 7400 -w fastdds_spdp.pcap
After capturing, analysis can be done with Wireshark or custom scripts to inspect the DATA Submessage contents for irregular length fields or malformed tokens that could indicate exploitation attempts.
On the system running Fast DDS, monitoring for unexpected process termination or crashes of the Fast DDS service or application could also indicate exploitation attempts, as the vulnerability causes remote termination via OOM.
In summary, detection involves network traffic capture and analysis of DDS SPDP packets for malformed DATA Submessages, and system monitoring for abnormal Fast DDS process behavior. No specific detection commands are provided in the resources.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of CVE-2025-62599 on compliance with common standards and regulations such as GDPR or HIPAA.