CVE-2025-62601
Heap Buffer Overflow in Fast DDS SPDP Packet Causes Remote Crash
Publication date: 2026-02-03
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eprosima | fast_dds | to 2.6.11 (exc) |
| eprosima | fast_dds | From 3.0.0 (inc) to 3.3.1 (exc) |
| eprosima | fast_dds | 3.4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Fast DDS, a C++ implementation of the Data Distribution Service (DDS) standard. When security mode is enabled, an attacker can modify the DATA Submessage within an SPDP packet sent by a publisher. Specifically, tampering with the fields PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN by altering the str_size value causes a 32-bit integer overflow. This overflow leads to std::vector::resize using an attacker-controlled size, which triggers a heap buffer overflow and results in remote termination of the Fast DDS process.
The issue affects versions prior to 3.4.1, 3.3.1, and 2.6.11, which have been patched to fix this problem.
How can this vulnerability impact me? :
This vulnerability can lead to remote termination of the Fast DDS process, effectively causing a denial of service. An attacker who exploits this flaw can crash the application remotely by sending specially crafted packets, potentially disrupting communication and data distribution services that rely on Fast DDS.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Fast DDS to version 3.4.1 or later, where the issue has been fixed.
Avoid using vulnerable versions such as 2.1.0+ds-9+deb11u1, 2.9.1+ds-1+deb12u2, 3.1.2+ds-1, and 3.3.0+ds-3 until patched versions are available.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a heap buffer overflow triggered by tampering with specific fields in the DATA Submessage of SPDP packets sent by Fast DDS publishers when security mode is enabled.
To detect this vulnerability on your network or system, you can monitor network traffic for SPDP packets containing modified DATA Submessages, especially those with suspicious or malformed PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN fields.
Since the vulnerability is specific to Fast DDS versions prior to 3.4.1, 3.3.1, and 2.6.11, checking the installed Fast DDS version on your system is a primary step.
- Check Fast DDS version installed: fastdds --version
- Capture and analyze network traffic for SPDP packets (which use UDP multicast on port 7400 by default): sudo tcpdump -i <interface> udp port 7400 -w spdp_capture.pcap
- Analyze captured packets with Wireshark or tshark to inspect DATA Submessages for anomalies in PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN fields.
- Monitor Fast DDS process crashes or unexpected terminations which may indicate exploitation attempts.
Note that no specific detection commands or signatures are provided in the available resources, so detection relies on version checking, network traffic inspection, and monitoring for crashes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.