{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-62602","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-10-16T19:24:37.267Z","datePublished":"2026-02-03T19:20:55.963Z","dateUpdated":"2026-02-03T20:54:07.544Z"},"containers":{"cna":{"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-02-03T19:20:55.963Z"},"title":"FastDDS has heap buffer overflow in readData via Manipulated DATA Submessage when DDS Security is enabled","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-122","description":"CWE-122 Heap-based Buffer Overflow","type":"CWE"}]}],"affected":[{"vendor":"eProsima","product":"Fast-DDS","repo":"https://github.com/eProsima/Fast-DDS","versions":[{"status":"affected","version":"3.4.0","lessThan":"3.4.1","versionType":"custom"},{"status":"affected","version":"3.0.0","lessThan":"3.3.1","versionType":"custom"},{"status":"affected","version":"0","lessThan":"2.6.11","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields \nof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially  `readOctetVector`\n reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro\nlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca\ntion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. \nVersions 3.4.1, 3.3.1, and 2.6.11 patch the issue.","supportingMedia":[{"type":"text/html","base64":false,"value":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the\n fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially  `readOcte\ntVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacke\nr-controlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause larg\ne allocation attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termi\nnation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."}]}],"references":[{"url":"https://security-tracker.debian.org/tracker/CVE-2025-62602"},{"url":"https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"},{"url":"https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"},{"url":"https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"version":"4.0","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","baseSeverity":"LOW","baseScore":1.7,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"}}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-03T20:53:59.924429Z","id":"CVE-2025-62602","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-03T20:54:07.544Z"}}]}}