CVE-2025-62799
Heap Buffer Overflow in Fast DDS DATA_FRAG Causes DoS, RCE Risk
Publication date: 2026-02-03
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| eprosima | fast_dds | to 2.6.11 (exc) |
| eprosima | fast_dds | From 3.0.0 (inc) to 3.3.1 (exc) |
| eprosima | fast_dds | 3.4.0 |
| debian | debian_linux | 11.0 |
| debian | debian_linux | 12.0 |
| debian | debian_linux | 13.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-122 | A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). |
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-62799 is a vulnerability in Fast DDS, a C++ implementation of the DDS standard. It involves a heap buffer overflow in the handling of RTPS DATA_FRAG messages. An unauthenticated sender can send a specially crafted DATA_FRAG packet with manipulated fragmentSize and sampleSize values that violate internal assumptions.
Due to a 4-byte alignment step during fragment metadata initialization, the code writes beyond the allocated payload buffer, causing an immediate crash (Denial of Service) and potentially enabling memory corruption that could lead to remote code execution.
The vulnerability arises because the fragment payload size calculation and memory reservation did not properly account for alignment and fragment index storage, allowing buffer overflows.
The issue was fixed by refactoring the fragment payload size calculation to ensure correct minimum buffer sizes, enforcing a minimum fragment size of 4 bytes, aligning fragment sizes properly, and updating cache reservation logic to prevent unsafe memory allocations.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an unauthenticated attacker to send a maliciously crafted fragmented data message that causes the Fast DDS application to crash immediately, resulting in a Denial of Service (DoS).
Beyond causing crashes, the heap buffer overflow may lead to memory corruption, which could potentially be exploited to achieve remote code execution (RCE), allowing an attacker to execute arbitrary code on the affected system.
Such impacts can disrupt services relying on Fast DDS for data distribution, compromise system stability, and pose serious security risks if exploited.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Fast DDS to a fixed version where the vulnerability is patched. The issue is fixed in Fast DDS versions 3.4.1, 3.3.1, and 2.6.11.
The fix involves refactoring the fragment payload size calculation and memory reservation logic to prevent buffer overflows and alignment issues when handling RTPS DATA_FRAG messages.
If upgrading immediately is not possible, consider implementing network-level filtering to block malformed RTPS DATA_FRAG packets with suspicious fragment sizes or sample sizes, although no specific filtering rules are provided.
Monitoring for crashes or denial-of-service symptoms related to Fast DDS processes may also help identify exploitation attempts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability in Fast DDS involves processing of malformed RTPS DATA_FRAG packets with crafted fragmentSize and sampleSize values that cause heap buffer overflow. Detection involves monitoring for such malformed RTPS DATA_FRAG messages on the network or within Fast DDS logs.
While no explicit detection commands are provided in the available resources, a practical approach includes capturing and analyzing RTPS traffic for suspicious DATA_FRAG submessages with unusual fragmentSize or sampleSize values that violate expected alignment or size constraints.
You can use network packet capture tools such as tcpdump or Wireshark to filter RTPS DATA_FRAG messages and inspect their fragmentSize and sampleSize fields. For example, a tcpdump command to capture RTPS traffic on UDP port 7400 (default RTPS port) might be:
- tcpdump -i <interface> udp port 7400 -w rtps_capture.pcap
Then, analyze the capture with Wireshark using the RTPS protocol dissector to identify DATA_FRAG submessages and check for abnormal fragment sizes or sample sizes.
Additionally, monitoring Fast DDS application logs for warnings or errors related to cache reservation failures or crashes during DATA_FRAG message processing can help detect exploitation attempts.
Since the vulnerability causes crashes (DoS) or memory corruption, observing unexpected Fast DDS process crashes or instability during RTPS communication may also indicate exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context and resources do not contain information regarding the impact of CVE-2025-62799 on compliance with common standards and regulations such as GDPR or HIPAA.