CVE-2025-62799

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption ( RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46	Patch
https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514	Patch
https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659	Patch
https://security-tracker.debian.org/tracker/CVE-2025-62799	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:eprosima:fast_dds::::::::
	cpe:2.3:a:eprosima:fast_dds::::::::
	cpe:2.3:a:eprosima:fast_dds:3.4.0:::::::*

Configuration 2 (hide)

OR	cpe:2.3:o:debian:debian_linux:11.0:::::::*
	cpe:2.3:o:debian:debian_linux:12.0:::::::*
	cpe:2.3:o:debian:debian_linux:13.0:::::::*

History

No history.

Information

Published : 2026-02-03 20:15

Updated : 2026-02-18 16:11

NVD link : CVE-2025-62799

Mitre link : CVE-2025-62799

CVE.ORG link : CVE-2025-62799

JSON object : View

Products Affected

eprosima

fast_dds

debian

debian_linux

CWE

CWE-122

Heap-based Buffer Overflow

CWE-787

Out-of-bounds Write

{"id": "CVE-2025-62799", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-03T20:15:56.983", "references": [{"url": "https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://security-tracker.debian.org/tracker/CVE-2025-62799", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-122"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."}, {"lang": "es", "value": "Fast DDS es una implementaci\u00f3n en C++ del est\u00e1ndar DDS (Data Distribution Service) de la OMG (Object Management Group). Antes de las versiones 3.4.1, 3.3.1 y 2.6.11, existe un desbordamiento de b\u00fafer de pila en la ruta de recepci\u00f3n DATA_FRAG de Fast-DDS. Un remitente no autenticado puede transmitir un \u00fanico paquete RTPS DATA_FRAG malformado donde 'fragmentSize' y 'sampleSize' est\u00e1n manipulados para violar suposiciones internas. Debido a un paso de alineaci\u00f3n de 4 bytes durante la inicializaci\u00f3n de los metadatos del fragmento, el c\u00f3digo escribe m\u00e1s all\u00e1 del final del b\u00fafer de carga \u00fatil asignado, causando un fallo inmediato (DoS) y potencialmente permitiendo la corrupci\u00f3n de memoria (riesgo de RCE). Las versiones 3.4.1, 3.3.1 y 2.6.11 parchean el problema."}], "lastModified": "2026-02-18T16:11:20.163", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8BAE40E0-6DFF-4878-9438-9C2488C9831C", "versionEndExcluding": "2.6.11"}, {"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "94A01F76-524F-4A5B-A782-CC789F229136", "versionEndExcluding": "3.3.1", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4452677-95AB-46F9-9B76-9F0B15E62261"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED"}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C"}, {"criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}