Cyber Posture

CVE-2025-62603

High

Published: 03 February 2026

Published
03 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0004 12.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-62603 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Eprosima Fast Dds. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated network exploitation of public-facing DDS service causing application/system crash via malformed message parsing.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after…

more

the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue.

Deeper analysisAI

CVE-2025-62603 is a denial-of-service vulnerability in Fast DDS, an open-source C++ implementation of the OMG Data Distribution Service (DDS) standard. The issue resides in the parsing of ParticipantGenericMessage, a DDS Security control-message container used for handshakes and ongoing security traffic like crypto-token exchanges. Upon receipt, the CDR parser deserializes the message_data field, specifically the DataHolderSeq, by reading a sequence count followed by class_id strings, string properties, and binary properties for each holder. Due to RTPS protocol allowances for duplicates, delays, and retransmissions, the stateless parser fully unfolds potentially malformed structures without higher-layer state awareness, leading to excessive memory allocation and an out-of-memory condition that terminates the process. This affects Fast DDS versions prior to 3.4.1, 3.3.1, and 2.6.11.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating network-accessible exploitation with low complexity and no required privileges or user interaction. Any unauthenticated remote attacker capable of sending RTPS traffic to a vulnerable Fast DDS participant can craft a malicious ParticipantGenericMessage with a large or malformed DataHolderSeq, triggering the full parsing path and causing memory exhaustion. Successful exploitation results in remote process termination, disrupting service availability for DDS-based applications relying on Fast DDS for real-time pub-sub communication.

Patches addressing this issue are available in Fast DDS versions 3.4.1, 3.3.1, and 2.6.11, as detailed in upstream GitHub commits such as 354218514d32beac963ff5c306f1cf159ee37c5f, a726e6a5daba660418d1f7c05b6f203c17747d2b, and ced3b6a5d928af1eae77d5fe889878128ad421a. Security practitioners should upgrade to these fixed releases. Debian's security tracker also documents the CVE for affected packages.

Details

CWE(s)
CWE-125

Affected Products

eprosima
fast dds
3.4.0 · ≤ 2.6.11 · 3.0.0 — 3.3.1
debian
debian linux
11.0, 12.0, 13.0

CVEs Like This One

CVE-2025-62599Same product: Debian Debian Linux
CVE-2025-62600Same product: Debian Debian Linux
CVE-2025-62602Same product: Debian Debian Linux
CVE-2025-62799Same product: Debian Debian Linux
CVE-2025-62601Same product: Eprosima Fast Dds
CVE-2025-64438Same product: Eprosima Fast Dds
CVE-2026-3622Shared CWE-125
CVE-2026-32319Shared CWE-125
CVE-2026-41604Shared CWE-125
CVE-2026-32877Shared CWE-125

References