CVE-2025-62799 (GCVE-0-2025-62799)
Vulnerability from cvelistv5
Published
2026-02-03 19:26
Modified
2026-02-03 20:40
Severity ?
7.2 (High) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
CWE
  • CWE-122 - Heap-based Buffer Overflow
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption ( RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
References
Impacted products
Vendor Product Version
eProsima Fast-DDS Version: 3.4.0   < 3.4.1
Version: 3.0.0   < 3.3.1
Version: 0   < 2.6.11
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62799",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T20:40:27.383841Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T20:40:35.185Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Fast-DDS",
          "repo": "https://github.com/eProsima/Fast-DDS",
          "vendor": "eProsima",
          "versions": [
            {
              "lessThan": "3.4.1",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.3.1",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "2.6.11",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An\n unauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are cr\nafted to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code wr\nites past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruptio\nn (RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
            }
          ],
          "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T19:26:22.397Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://security-tracker.debian.org/tracker/CVE-2025-62799"
        },
        {
          "url": "https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659"
        },
        {
          "url": "https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46"
        },
        {
          "url": "https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "FastDDS\u0027s heap buffer overflow in RTPS DATA_FRAG enables unauthenticated DoS (potential RCE)",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-62799",
    "datePublished": "2026-02-03T19:26:22.397Z",
    "dateReserved": "2025-10-22T18:55:48.012Z",
    "dateUpdated": "2026-02-03T20:40:35.185Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-62799\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-03T20:40:27.383841Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-03T20:40:32.293Z\"}}], \"cna\": {\"title\": \"FastDDS\u0027s heap buffer overflow in RTPS DATA_FRAG enables unauthenticated DoS (potential RCE)\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U\", \"exploitMaturity\": \"UNREPORTED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/eProsima/Fast-DDS\", \"vendor\": \"eProsima\", \"product\": \"Fast-DDS\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.4.0\", \"lessThan\": \"3.4.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.3.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.6.11\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://security-tracker.debian.org/tracker/CVE-2025-62799\"}, {\"url\": \"https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659\"}, {\"url\": \"https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46\"}, {\"url\": \"https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An\\n unauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are cr\\nafted to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code wr\\nites past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruptio\\nn (RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-122\", \"description\": \"CWE-122 Heap-based Buffer Overflow\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-03T19:26:22.397Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-62799\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-03T20:40:35.185Z\", \"dateReserved\": \"2025-10-22T18:55:48.012Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-03T19:26:22.397Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.