CVE-2025-62602
Published: 03 February 2026
Summary
CVE-2025-62602 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Eprosima Fast Dds. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote heap overflow in network-facing DDS service directly enables application exploitation resulting in process termination/DoS.
NVD Description
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP…
more
packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially `readOctetVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
Deeper analysisAI
CVE-2025-62602 is a heap buffer overflow vulnerability in Fast DDS, a C++ implementation of the OMG Data Distribution Service (DDS) standard. The issue affects versions prior to 3.4.1, 3.3.1, and 2.6.11 when security mode is enabled. It arises from modifying the DATA Submessage within an SPDP packet sent by a publisher, specifically by tampering with the fields of PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN. The function readOctetVector reads an unchecked vecsize value that is propagated unchanged into readData as the length parameter, allowing an attacker-controlled vecsize to trigger a 32-bit integer overflow during length calculation. This leads to a large allocation attempt, resulting in out-of-memory conditions and remote process termination. The vulnerability is rated 7.5 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-122 (Heap-based Buffer Overflow) and CWE-787 (Out-of-bounds Write).
An attacker can exploit this vulnerability remotely over the network without authentication or user interaction by crafting and sending a malicious SPDP packet with a tampered DATA Submessage. The integer overflow causes excessive memory allocation, quickly exhausting resources and terminating the Fast DDS process, enabling a denial-of-service attack. Exploitation requires the target to have security mode enabled and to process the malicious packet, which can occur in discovery phases of DDS communications.
Patches addressing this issue are available in Fast DDS versions 3.4.1, 3.3.1, and 2.6.11, as implemented in specific GitHub commits such as 354218514d32beac963ff5c306f1cf159ee37c5f, a726e6a5daba660418d1f7c05b6f203c17747d2b, and ced3b6f92d928af1eae77d5fe889878128ad421a. Security practitioners should upgrade to these versions for mitigation. Debian's security tracker also documents the CVE for affected packages.
Details
- CWE(s)