CVE-2025-64438
Published: 03 February 2026
Summary
CVE-2025-64438 is a low-severity Infinite Loop (CWE-835) vulnerability in Eprosima Fast Dds. Its CVSS base score is 1.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2025-64438 is a remotely triggerable out-of-memory (OOM) denial-of-service vulnerability in Fast DDS, a C++ implementation of the OMG Data Distribution Service (DDS) standard. It affects versions prior to 3.4.1, 3.3.1, and 2.6.11, specifically when processing RTPS GAP submessages under RELIABLE QoS. An attacker can send a small GAP packet with a huge gap range (gapList.base - gapStart), causing StatefulReader::processGapMsg() to enter an unbounded loop that inserts millions of sequence numbers into WriterProxy::changes_received_ (a std::set), resulting in multi-GB heap growth and process termination. The issue is classified as CWE-835 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any attacker with network reachability to a vulnerable DDS reader on the relevant domain can exploit this, as no authentication is required. Exploitation triggers rapid memory exhaustion—up to approximately 64 GB observed in non-ASan environments without resource limits—leading to process crash and denial of service. The attack relies solely on crafting and sending malformed RTPS GAP submessages, making it straightforward for remote unauthenticated actors.
Patches addressing this vulnerability are available in Fast DDS versions 3.4.1, 3.3.1, and 2.6.11, with specific fixes implemented in GitHub commits 0b0cb308eaeeb2175694aa0a0a723106824ce9a7, 71da01b4aea4d937558984f2cf0089f5ba3c871f, and 8ca016134dac20b6e30e42b7b73466ef7cdbc213. Security practitioners should upgrade to these versions and review the Debian security tracker at https://security-tracker.debian.org/tracker/CVE-2025-64438 for distribution-specific guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206668
Vulnerability details
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast -DDS when processing RTPS…
more
GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList .base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t he issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated crafted RTPS GAP submessage triggers unbounded loop and heap exhaustion leading to application crash, directly matching application exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the vulnerability by requiring timely remediation through patching Fast DDS to versions 3.4.1, 3.3.1, or 2.6.11, which fix the unbounded loop in StatefulReader::processGapMsg().
Protects against the remotely triggerable OOM DoS by implementing mechanisms to limit or block the effects of malformed RTPS GAP submessages causing heap exhaustion.
Ensures resource availability by enforcing memory limits (e.g., RSS limits) to prevent multi-GB heap growth and process termination from the unbounded std::set insertions.