{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-62799","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-10-22T18:55:48.012Z","datePublished":"2026-02-03T19:26:22.397Z","dateUpdated":"2026-02-03T20:40:35.185Z"},"containers":{"cna":{"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-02-03T19:26:22.397Z"},"title":"FastDDS's heap buffer overflow in RTPS DATA_FRAG enables unauthenticated DoS (potential RCE)","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-122","description":"CWE-122 Heap-based Buffer Overflow","type":"CWE"}]}],"affected":[{"vendor":"eProsima","product":"Fast-DDS","repo":"https://github.com/eProsima/Fast-DDS","versions":[{"status":"affected","version":"3.4.0","lessThan":"3.4.1","versionType":"custom"},{"status":"affected","version":"3.0.0","lessThan":"3.3.1","versionType":"custom"},{"status":"affected","version":"0","lessThan":"2.6.11","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.","supportingMedia":[{"type":"text/html","base64":false,"value":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An\n unauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are cr\nafted to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code wr\nites past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruptio\nn (RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."}]}],"references":[{"url":"https://security-tracker.debian.org/tracker/CVE-2025-62799"},{"url":"https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659"},{"url":"https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46"},{"url":"https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"version":"4.0","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"HIGH","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"HIGH","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","baseSeverity":"HIGH","baseScore":7.2,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"}}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-03T20:40:27.383841Z","id":"CVE-2025-62799","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-03T20:40:35.185Z"}}]}}