Description
eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.
If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readBinaryPropertySeq— are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1.
Published: 2026-02-03
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Denial of Service (process termination)
Action: Patch Immediately
AI Analysis

Impact

An integer overflow in eProsima Fast‑DDS’s readBinaryPropertySeq function occurs when the length field of a property in the DATA Submessage is tampered with while DDS Security is enabled. This overflow leads to an out‑of‑memory condition during a resize operation, causing the Fast‑DDS process to crash. The result is a remote denial of service that can terminate any Fast‑DDS instance receiving the malformed packet, reflecting the weaknesses detailed in CWE‑190 and CWE‑789.

Affected Systems

The flaw affects eProsima Fast‑DDS versions prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1. Systems running these libraries on Debian Linux 11, 12, or 13 are impacted when DDS Security is enabled. Any deployment that uses the secure branch of Fast‑DDS must verify the version in use.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, while the EPSS score of less than 1% suggests a low probability of real‑world exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires a publisher able to send a crafted SPDP packet to a target subscriber with security enabled—a scenario plausible in shared or hostile networks such as industrial control or multiplayer gaming environments. The crash is repeatable and reliably triggers a denial‑of‑service once the conditions are met.

Generated by OpenCVE AI on April 20, 2026 at 16:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade eProsima Fast‑DDS to at least 2.6.11, 2.14.6, 3.2.4, 3.3.1, or 3.4.1, or to a newer release that includes the fix.
  • If an immediate upgrade is not feasible, disable DDS Security for the affected processes to remove the vulnerable code path.
  • Restart affected services after patching to ensure the new binaries are loaded.

Generated by OpenCVE AI on April 20, 2026 at 16:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Thu, 09 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readBinaryPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readBinaryPropertySeq— are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1.
Title FastDDS has Out-of-Memory in readPropertySeq via Manipulated DATA Submessage when DDS Security is enabled eprosima Fast DDS affected by Out-of-Memory in readBinaryPropertySeq via Manipulated DATA Submessage when DDS Security is enabled
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

 cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}

cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X'}

Tue, 24 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Debian
Debian debian Linux
CPEs cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*
cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*
Vendors & Products Debian
Debian debian Linux
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Eprosima
Eprosima fast Dds
Vendors & Products Eprosima
Eprosima fast Dds

Tue, 03 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readBinaryPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
Title FastDDS has Out-of-Memory in readPropertySeq via Manipulated DATA Submessage when DDS Security is enabled
Weaknesses CWE-125
CWE-190
References
Metrics cvssV4_0

{'score': 1.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Debian Debian Linux
Eprosima Fast Dds
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T15:39:28.295Z

Reserved: 2025-10-16T19:24:37.267Z

Link: CVE-2025-62600

cve-icon Vulnrichment

Updated: 2026-02-03T19:48:07.605Z

cve-icon NVD

Status : Modified

Published: 2026-02-03T19:16:14.170

Modified: 2026-04-14T16:16:31.990

Link: CVE-2025-62600

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T16:45:11Z

Weaknesses