CVE-2025-64098
Medium
Low
Medium
High
Critical
5.9
CVSS Score
Vulnerability Description
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t
he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specifically by ta
mpering with the the `vecsize` value read by `readOctetVector` — a 32-bit integer overflow can occur, causing `std::vector
::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3
.3.1, and 2.6.11 patch the issue.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
N
Attack Complexity
H
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
N
Integrity
N
Availability
H
Known Affected Software
83 configuration(s) from 2 vendor(s)
debian_linux
Version:
12.0
CPE:
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
debian_linux
Version:
13.0
CPE:
cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*
debian_linux
Version:
11.0
CPE:
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
fast_dds
Version:
2.0.2
CPE:
cpe:2.3:a:eprosima:fast_dds:2.0.2:*:*:*:*:*:*:*
fast_dds
Version:
3.1.1
CPE:
cpe:2.3:a:eprosima:fast_dds:3.1.1:*:*:*:*:*:*:*
fast_dds
Version:
2.4.2
CPE:
cpe:2.3:a:eprosima:fast_dds:2.4.2:*:*:*:*:*:*:*
fast_dds
Version:
1.7.1
CPE:
cpe:2.3:a:eprosima:fast_dds:1.7.1:*:*:*:*:*:*:*
fast_dds
Version:
2.3.3
CPE:
cpe:2.3:a:eprosima:fast_dds:2.3.3:*:*:*:*:*:*:*
fast_dds
Version:
1.0.6
CPE:
cpe:2.3:a:eprosima:fast_dds:1.0.6:*:*:*:*:*:*:*
fast_dds
Version:
1.10.0
CPE:
cpe:2.3:a:eprosima:fast_dds:1.10.0:*:*:*:*:*:*:*
fast_dds
Version:
1.3.0
CPE:
cpe:2.3:a:eprosima:fast_dds:1.3.0:*:*:*:*:*:*:*
fast_dds
Version:
2.6.6
CPE:
cpe:2.3:a:eprosima:fast_dds:2.6.6:*:*:*:*:*:*:*
fast_dds
Version:
2.4.0
CPE:
cpe:2.3:a:eprosima:fast_dds:2.4.0:*:*:*:*:*:*:*
fast_dds
Version:
3.0.2
CPE:
cpe:2.3:a:eprosima:fast_dds:3.0.2:*:*:*:*:*:*:*
fast_dds
Version:
2.3.01
CPE:
cpe:2.3:a:eprosima:fast_dds:2.3.01:*:*:*:*:*:*:*
fast_dds
Version:
2.6.8
CPE:
cpe:2.3:a:eprosima:fast_dds:2.6.8:*:*:*:*:*:*:*
fast_dds
Version:
3.2.0
CPE:
cpe:2.3:a:eprosima:fast_dds:3.2.0:*:*:*:*:*:*:*
fast_dds
Version:
2.1.3
CPE:
cpe:2.3:a:eprosima:fast_dds:2.1.3:*:*:*:*:*:*:*
fast_dds
Version:
0.5.2
CPE:
cpe:2.3:a:eprosima:fast_dds:0.5.2:*:*:*:*:*:*:*
fast_dds
Version:
1.7.2
CPE:
cpe:2.3:a:eprosima:fast_dds:1.7.2:*:*:*:*:*:*:*
fast_dds
Version:
2.6.5
CPE:
cpe:2.3:a:eprosima:fast_dds:2.6.5:*:*:*:*:*:*:*
fast_dds
Version:
2.5.0
CPE:
cpe:2.3:a:eprosima:fast_dds:2.5.0:*:*:*:*:*:*:*
fast_dds
Version:
3.2.1
CPE:
cpe:2.3:a:eprosima:fast_dds:3.2.1:*:*:*:*:*:*:*
fast_dds
Version:
2.6.7
CPE:
cpe:2.3:a:eprosima:fast_dds:2.6.7:*:*:*:*:*:*:*
fast_dds
Version:
1.9.3
CPE:
cpe:2.3:a:eprosima:fast_dds:1.9.3:*:*:*:*:*:*:*
fast_dds
Version:
2.0.0
CPE:
cpe:2.3:a:eprosima:fast_dds:2.0.0:-:*:*:*:*:*:*
fast_dds
Version:
1.3.1
CPE:
cpe:2.3:a:eprosima:fast_dds:1.3.1:*:*:*:*:*:*:*
fast_dds
Version:
2.3.5
CPE:
cpe:2.3:a:eprosima:fast_dds:2.3.5:*:*:*:*:*:*:*
fast_dds
Version:
0.4.0
CPE:
cpe:2.3:a:eprosima:fast_dds:0.4.0:*:*:*:*:*:*:*
fast_dds
Version:
0.5.1
CPE:
cpe:2.3:a:eprosima:fast_dds:0.5.1:*:*:*:*:*:*:*
fast_dds
Version:
2.6.1
CPE:
cpe:2.3:a:eprosima:fast_dds:2.6.1:*:*:*:*:*:*:*
fast_dds
Version:
2.6.10
CPE:
cpe:2.3:a:eprosima:fast_dds:2.6.10:*:*:*:*:*:*:*
fast_dds
Version:
2.6.4
CPE:
cpe:2.3:a:eprosima:fast_dds:2.6.4:*:*:*:*:*:*:*
fast_dds
Version:
3.3.0
CPE:
cpe:2.3:a:eprosima:fast_dds:3.3.0:*:*:*:*:*:*:*
fast_dds
Version:
2.0.3
CPE:
cpe:2.3:a:eprosima:fast_dds:2.0.3:*:*:*:*:*:*:*
fast_dds
Version:
0.3.1
CPE:
cpe:2.3:a:eprosima:fast_dds:0.3.1:*:*:*:*:*:*:*
fast_dds
Version:
1.9.5
CPE:
cpe:2.3:a:eprosima:fast_dds:1.9.5:*:*:*:*:*:*:*
fast_dds
Version:
1.8.0-2
CPE:
cpe:2.3:a:eprosima:fast_dds:1.8.0-2:*:*:*:*:*:*:*
fast_dds
Version:
2.0.1
CPE:
cpe:2.3:a:eprosima:fast_dds:2.0.1:-:*:*:*:*:*:*
fast_dds
Version:
1.2.0
CPE:
cpe:2.3:a:eprosima:fast_dds:1.2.0:*:*:*:*:*:*:*
fast_dds
Version:
1.10.1
CPE:
cpe:2.3:a:eprosima:fast_dds:1.10.1:*:*:*:*:*:*:*
fast_dds
Version:
1.1.0
CPE:
cpe:2.3:a:eprosima:fast_dds:1.1.0:*:*:*:*:*:*:*
fast_dds
Version:
2.3.1
CPE:
cpe:2.3:a:eprosima:fast_dds:2.3.1:*:*:*:*:*:*:*
fast_dds
Version:
2.1.0
CPE:
cpe:2.3:a:eprosima:fast_dds:2.1.0:*:*:*:*:*:*:*
fast_dds
Version:
2.1.2
CPE:
cpe:2.3:a:eprosima:fast_dds:2.1.2:*:*:*:*:*:*:*
fast_dds
Version:
3.1.2
CPE:
cpe:2.3:a:eprosima:fast_dds:3.1.2:*:*:*:*:*:*:*
fast_dds
Version:
2.5.1
CPE:
cpe:2.3:a:eprosima:fast_dds:2.5.1:*:*:*:*:*:*:*
fast_dds
Version:
1.8.3
CPE:
cpe:2.3:a:eprosima:fast_dds:1.8.3:*:*:*:*:*:*:*
fast_dds
Version:
2.1.1
CPE:
cpe:2.3:a:eprosima:fast_dds:2.1.1:*:*:*:*:*:*:*
fast_dds
Version:
1.4.0
CPE:
cpe:2.3:a:eprosima:fast_dds:1.4.0:*:*:*:*:*:*:*
fast_dds
Version:
1.9.2
CPE:
cpe:2.3:a:eprosima:fast_dds:1.9.2:*:*:*:*:*:*:*
fast_dds
Version:
1.8.0
CPE:
cpe:2.3:a:eprosima:fast_dds:1.8.0:*:*:*:*:*:*:*
fast_dds
Version:
2.3.2
CPE:
cpe:2.3:a:eprosima:fast_dds:2.3.2:*:*:*:*:*:*:*
fast_dds
Version:
0.5.0
CPE:
cpe:2.3:a:eprosima:fast_dds:0.5.0:*:*:*:*:*:*:*
fast_dds
Version:
3.0.1
CPE:
cpe:2.3:a:eprosima:fast_dds:3.0.1:*:*:*:*:*:*:*
fast_dds
Version:
2.2.0
CPE:
cpe:2.3:a:eprosima:fast_dds:2.2.0:*:*:*:*:*:*:*
fast_dds
Version:
2.3.0-1
CPE:
cpe:2.3:a:eprosima:fast_dds:2.3.0-1:*:*:*:*:*:*:*
fast_dds
Version:
1.7.0
CPE:
cpe:2.3:a:eprosima:fast_dds:1.7.0:*:*:*:*:*:*:*
fast_dds
Version:
2.1.4
CPE:
cpe:2.3:a:eprosima:fast_dds:2.1.4:*:*:*:*:*:*:*
fast_dds
Version:
2.3.0
CPE:
cpe:2.3:a:eprosima:fast_dds:2.3.0:*:*:*:*:*:*:*
fast_dds
Version:
1.0.0
CPE:
cpe:2.3:a:eprosima:fast_dds:1.0.0:*:*:*:*:*:*:*
fast_dds
Version:
2.4.1
CPE:
cpe:2.3:a:eprosima:fast_dds:2.4.1:*:*:*:*:*:*:*
fast_dds
Version:
3.1.0
CPE:
cpe:2.3:a:eprosima:fast_dds:3.1.0:*:*:*:*:*:*:*
fast_dds
Version:
1.5.0
CPE:
cpe:2.3:a:eprosima:fast_dds:1.5.0:*:*:*:*:*:*:*
fast_dds
Version:
2.6.0
CPE:
cpe:2.3:a:eprosima:fast_dds:2.6.0:*:*:*:*:*:*:*
fast_dds
Version:
0.3.0
CPE:
cpe:2.3:a:eprosima:fast_dds:0.3.0:*:*:*:*:*:*:*
fast_dds
Version:
2.6.3
CPE:
cpe:2.3:a:eprosima:fast_dds:2.6.3:*:*:*:*:*:*:*
fast_dds
Version:
2.5.2
CPE:
cpe:2.3:a:eprosima:fast_dds:2.5.2:*:*:*:*:*:*:*
fast_dds
Version:
3.4.0
CPE:
cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*
fast_dds
Version:
1.9.0
CPE:
cpe:2.3:a:eprosima:fast_dds:1.9.0:beta:*:*:*:*:*:*
fast_dds
Version:
1.8.4
CPE:
cpe:2.3:a:eprosima:fast_dds:1.8.4:*:*:*:*:*:*:*
fast_dds
Version:
1.8.2
CPE:
cpe:2.3:a:eprosima:fast_dds:1.8.2:*:*:*:*:*:*:*
fast_dds
Version:
1.8.5
CPE:
cpe:2.3:a:eprosima:fast_dds:1.8.5:*:*:*:*:*:*:*
fast_dds
Version:
2.6.2
CPE:
cpe:2.3:a:eprosima:fast_dds:2.6.2:*:*:*:*:*:*:*
fast_dds
Version:
2.3.6
CPE:
cpe:2.3:a:eprosima:fast_dds:2.3.6:*:*:*:*:*:*:*
fast_dds
Version:
2.2.1
CPE:
cpe:2.3:a:eprosima:fast_dds:2.2.1:*:*:*:*:*:*:*
fast_dds
Version:
1.7.3
CPE:
cpe:2.3:a:eprosima:fast_dds:1.7.3:*:*:*:*:*:*:*
fast_dds
Version:
1.9.1
CPE:
cpe:2.3:a:eprosima:fast_dds:1.9.1:*:*:*:*:*:*:*
fast_dds
Version:
3.0.0
CPE:
cpe:2.3:a:eprosima:fast_dds:3.0.0:*:*:*:*:*:*:*
fast_dds
Version:
2.3.4
CPE:
cpe:2.3:a:eprosima:fast_dds:2.3.4:*:*:*:*:*:*:*
fast_dds
Version:
1.6.0
CPE:
cpe:2.3:a:eprosima:fast_dds:1.6.0:*:*:*:*:*:*:*
fast_dds
Version:
1.9.4
CPE:
cpe:2.3:a:eprosima:fast_dds:1.9.4:*:*:*:*:*:*:*
fast_dds
Version:
1.8.1
CPE:
cpe:2.3:a:eprosima:fast_dds:1.8.1:*:*:*:*:*:*:*
This vulnerability affects 83 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5fsecurity-advisories@github.com Patch
-
https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2bsecurity-advisories@github.com Patch
-
https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421asecurity-advisories@github.com Patch
-
https://security-tracker.debian.org/tracker/CVE-2025-64098security-advisories@github.com Third Party Advisory
Severity Details
5.9
out of 10.0
Medium
Weakness Type (CWE)
CWE-125
Top 25 #11
Out-of-bounds Read
- Description
- The product reads data past the end, or before the beginning, of the intended buffer.
- Typical Severity
- High
- Abstraction Level
- Base
Key Information
- Published Date
- February 03, 2026
