CVE-2025-62799
Unknown Unknown - Not Provided
Heap Buffer Overflow in Fast DDS DATA_FRAG Causes DoS, RCE Risk

Publication date: 2026-02-03

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption ( RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-14
NVD
CVE-2025-62799
EUVD
EUVD-2025-206666
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
eprosima fast_dds to 2.6.11 (exc)
eprosima fast_dds From 3.0.0 (inc) to 3.3.1 (exc)
eprosima fast_dds 3.4.0
debian debian_linux 11.0
debian debian_linux 12.0
debian debian_linux 13.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided context and resources do not contain information regarding the impact of CVE-2025-62799 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2025-62799 is a vulnerability in Fast DDS, a C++ implementation of the DDS standard. It involves a heap buffer overflow in the handling of RTPS DATA_FRAG messages. An unauthenticated sender can send a specially crafted DATA_FRAG packet with manipulated fragmentSize and sampleSize values that violate internal assumptions.

Due to a 4-byte alignment step during fragment metadata initialization, the code writes beyond the allocated payload buffer, causing an immediate crash (Denial of Service) and potentially enabling memory corruption that could lead to remote code execution.

The vulnerability arises because the fragment payload size calculation and memory reservation did not properly account for alignment and fragment index storage, allowing buffer overflows.

The issue was fixed by refactoring the fragment payload size calculation to ensure correct minimum buffer sizes, enforcing a minimum fragment size of 4 bytes, aligning fragment sizes properly, and updating cache reservation logic to prevent unsafe memory allocations.

Impact Analysis

This vulnerability can impact you by allowing an unauthenticated attacker to send a maliciously crafted fragmented data message that causes the Fast DDS application to crash immediately, resulting in a Denial of Service (DoS).

Beyond causing crashes, the heap buffer overflow may lead to memory corruption, which could potentially be exploited to achieve remote code execution (RCE), allowing an attacker to execute arbitrary code on the affected system.

Such impacts can disrupt services relying on Fast DDS for data distribution, compromise system stability, and pose serious security risks if exploited.

Mitigation Strategies

The primary mitigation is to upgrade Fast DDS to a fixed version where the vulnerability is patched. The issue is fixed in Fast DDS versions 3.4.1, 3.3.1, and 2.6.11.

The fix involves refactoring the fragment payload size calculation and memory reservation logic to prevent buffer overflows and alignment issues when handling RTPS DATA_FRAG messages.

If upgrading immediately is not possible, consider implementing network-level filtering to block malformed RTPS DATA_FRAG packets with suspicious fragment sizes or sample sizes, although no specific filtering rules are provided.

Monitoring for crashes or denial-of-service symptoms related to Fast DDS processes may also help identify exploitation attempts.

Detection Guidance

The vulnerability in Fast DDS involves processing of malformed RTPS DATA_FRAG packets with crafted fragmentSize and sampleSize values that cause heap buffer overflow. Detection involves monitoring for such malformed RTPS DATA_FRAG messages on the network or within Fast DDS logs.

While no explicit detection commands are provided in the available resources, a practical approach includes capturing and analyzing RTPS traffic for suspicious DATA_FRAG submessages with unusual fragmentSize or sampleSize values that violate expected alignment or size constraints.

You can use network packet capture tools such as tcpdump or Wireshark to filter RTPS DATA_FRAG messages and inspect their fragmentSize and sampleSize fields. For example, a tcpdump command to capture RTPS traffic on UDP port 7400 (default RTPS port) might be:

  • tcpdump -i <interface> udp port 7400 -w rtps_capture.pcap

Then, analyze the capture with Wireshark using the RTPS protocol dissector to identify DATA_FRAG submessages and check for abnormal fragment sizes or sample sizes.

Additionally, monitoring Fast DDS application logs for warnings or errors related to cache reservation failures or crashes during DATA_FRAG message processing can help detect exploitation attempts.

Since the vulnerability causes crashes (DoS) or memory corruption, observing unexpected Fast DDS process crashes or instability during RTPS communication may also indicate exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-62799. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart