Cyber Resilience

CVE-2025-62601

Low

Published: 03 February 2026

Published
03 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 1.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.8th percentile
Risk Priority 3 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62601 is a low-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Eprosima Fast Dds. Its CVSS base score is 1.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-62601 is a heap buffer overflow vulnerability in Fast DDS, a C++ implementation of the OMG Data Distribution Service (DDS) standard. It affects versions prior to 3.4.1, 3.3.1, and 2.6.11 when security mode is enabled. The issue arises from modifying the DATA Submessage within an SPDP packet sent by a publisher, specifically by tampering with the `str_size` value in the `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` fields. This tampering, processed via `readString` called from `readBinaryProperty`, triggers a 32-bit integer overflow that causes `std::vector::resize` to allocate an attacker-controlled size, leading to the heap buffer overflow. The vulnerability is rated 7.5 on the CVSS v3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and maps to CWEs 122 (Heap-based Buffer Overflow) and 787 (Out-of-bounds Write).

A remote, unauthenticated attacker can exploit this vulnerability by crafting and sending a malformed SPDP packet to a targeted Fast DDS publisher with security enabled. No user interaction or privileges are required, enabling exploitation over the network with low complexity. Successful exploitation results in remote process termination via the heap buffer overflow, causing a denial-of-service condition on the affected Fast DDS instance.

Mitigation requires upgrading to Fast DDS versions 3.4.1, 3.3.1, or 2.6.11, which include patches addressing the integer overflow and buffer handling in the relevant submessage parsing code. The fixing commits are available at https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f, https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b, and https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a. Additional tracking is provided by the Debian security team at https://security-tracker.debian.org/tracker/CVE-2025-62601.

EU & UK References

Vulnerability details

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP…

more

packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage — specifically by tampering with the `str_size` value read by `readString` (called from `readBinaryProperty`) — are modified, a 32-bit integer overflow can occur, causing `std::vector::resize` to use an attacker-controlled size and quickly trigger heap buffer overflow and remote process term ination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote heap buffer overflow in network-facing DDS component directly enables application/system exploitation resulting in DoS (availability impact only).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-64438Same product: Eprosima Fast Dds
CVE-2025-62602Same product: Eprosima Fast Dds
CVE-2025-24807Same product: Eprosima Fast Dds
CVE-2025-62599Same product: Eprosima Fast Dds
CVE-2025-62799Same product: Eprosima Fast Dds
CVE-2025-62600Same product: Eprosima Fast Dds
CVE-2025-62603Same product: Eprosima Fast Dds
CVE-2026-24925Shared CWE-122, CWE-787
CVE-2024-55627Shared CWE-122, CWE-787
CVE-2025-32990Shared CWE-122

Affected Assets

eprosima
fast dds
3.4.0 · ≤ 2.6.11 · 3.0.0 — 3.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly mitigates this CVE by requiring timely patching to Fast DDS versions 3.4.1, 3.3.1, or 2.6.11 that fix the integer overflow and heap buffer overflow in SPDP packet parsing.

prevent

Information input validation prevents the heap buffer overflow by validating fields like str_size in PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN before processing in readString and readBinaryProperty.

prevent

Memory protection mechanisms such as address space layout randomization or heap canaries provide secondary mitigation against exploitation of the heap buffer overflow triggered by attacker-controlled vector resize.

References