CVE-2025-64438
Published: 03 February 2026
Summary
CVE-2025-64438 is a high-severity Infinite Loop (CWE-835) vulnerability in Eprosima Fast Dds. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 12.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated crafted RTPS GAP submessage triggers unbounded loop and heap exhaustion leading to application crash, directly matching application exploitation for endpoint DoS.
NVD Description
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast -DDS when processing RTPS…
more
GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList .base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t he issue.
Deeper analysisAI
CVE-2025-64438 is a remotely triggerable out-of-memory (OOM) denial-of-service vulnerability in Fast DDS, a C++ implementation of the OMG Data Distribution Service (DDS) standard. It affects versions prior to 3.4.1, 3.3.1, and 2.6.11, specifically when processing RTPS GAP submessages under RELIABLE QoS. An attacker can send a small GAP packet with a huge gap range (gapList.base - gapStart), causing StatefulReader::processGapMsg() to enter an unbounded loop that inserts millions of sequence numbers into WriterProxy::changes_received_ (a std::set), resulting in multi-GB heap growth and process termination. The issue is classified as CWE-835 with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Any attacker with network reachability to a vulnerable DDS reader on the relevant domain can exploit this, as no authentication is required. Exploitation triggers rapid memory exhaustion—up to approximately 64 GB observed in non-ASan environments without resource limits—leading to process crash and denial of service. The attack relies solely on crafting and sending malformed RTPS GAP submessages, making it straightforward for remote unauthenticated actors.
Patches addressing this vulnerability are available in Fast DDS versions 3.4.1, 3.3.1, and 2.6.11, with specific fixes implemented in GitHub commits 0b0cb308eaeeb2175694aa0a0a723106824ce9a7, 71da01b4aea4d937558984f2cf0089f5ba3c871f, and 8ca016134dac20b6e30e42b7b73466ef7cdbc213. Security practitioners should upgrade to these versions and review the Debian security tracker at https://security-tracker.debian.org/tracker/CVE-2025-64438 for distribution-specific guidance.
Details
- CWE(s)