Cyber Resilience

CVE-2025-64438

Low

Published: 03 February 2026

Published
03 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 1.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 2.6th percentile
Risk Priority 3 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64438 is a low-severity Infinite Loop (CWE-835) vulnerability in Eprosima Fast Dds. Its CVSS base score is 1.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-64438 is a remotely triggerable out-of-memory (OOM) denial-of-service vulnerability in Fast DDS, a C++ implementation of the OMG Data Distribution Service (DDS) standard. It affects versions prior to 3.4.1, 3.3.1, and 2.6.11, specifically when processing RTPS GAP submessages under RELIABLE QoS. An attacker can send a small GAP packet with a huge gap range (gapList.base - gapStart), causing StatefulReader::processGapMsg() to enter an unbounded loop that inserts millions of sequence numbers into WriterProxy::changes_received_ (a std::set), resulting in multi-GB heap growth and process termination. The issue is classified as CWE-835 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Any attacker with network reachability to a vulnerable DDS reader on the relevant domain can exploit this, as no authentication is required. Exploitation triggers rapid memory exhaustion—up to approximately 64 GB observed in non-ASan environments without resource limits—leading to process crash and denial of service. The attack relies solely on crafting and sending malformed RTPS GAP submessages, making it straightforward for remote unauthenticated actors.

Patches addressing this vulnerability are available in Fast DDS versions 3.4.1, 3.3.1, and 2.6.11, with specific fixes implemented in GitHub commits 0b0cb308eaeeb2175694aa0a0a723106824ce9a7, 71da01b4aea4d937558984f2cf0089f5ba3c871f, and 8ca016134dac20b6e30e42b7b73466ef7cdbc213. Security practitioners should upgrade to these versions and review the Debian security tracker at https://security-tracker.debian.org/tracker/CVE-2025-64438 for distribution-specific guidance.

EU & UK References

Vulnerability details

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast -DDS when processing RTPS…

more

GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList .base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t he issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated crafted RTPS GAP submessage triggers unbounded loop and heap exhaustion leading to application crash, directly matching application exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-62601Same product: Eprosima Fast Dds
CVE-2025-24807Same product: Eprosima Fast Dds
CVE-2025-62600Same product: Eprosima Fast Dds
CVE-2025-62602Same product: Eprosima Fast Dds
CVE-2025-62599Same product: Eprosima Fast Dds
CVE-2025-62603Same product: Eprosima Fast Dds
CVE-2026-26283Shared CWE-835
CVE-2026-39806Shared CWE-835
CVE-2026-29975Shared CWE-835
CVE-2026-44302Shared CWE-835

Affected Assets

eprosima
fast dds
3.4.0 · ≤ 2.6.11 · 3.0.0 — 3.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely remediation through patching Fast DDS to versions 3.4.1, 3.3.1, or 2.6.11, which fix the unbounded loop in StatefulReader::processGapMsg().

prevent

Protects against the remotely triggerable OOM DoS by implementing mechanisms to limit or block the effects of malformed RTPS GAP submessages causing heap exhaustion.

prevent

Ensures resource availability by enforcing memory limits (e.g., RSS limits) to prevent multi-GB heap growth and process termination from the unbounded std::set insertions.

References