{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-64438","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2025-11-03T22:12:51.366Z","datePublished":"2026-02-03T19:32:22.265Z","dateUpdated":"2026-02-03T20:30:50.310Z"},"containers":{"cna":{"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-02-03T19:32:22.265Z"},"title":"Fast-DDS: Unbounded GAP range triggers OOM DoS under RELIABLE QoS","problemTypes":[{"descriptions":[{"lang":"en","cweId":"CWE-835","description":"CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')","type":"CWE"}]}],"affected":[{"vendor":"eProsima","product":"Fast-DDS","repo":"https://github.com/eProsima/Fast-DDS","versions":[{"status":"affected","version":"3.4.0","lessThan":"3.4.1","versionType":"custom"},{"status":"affected","version":"3.0.0","lessThan":"3.3.1","versionType":"custom"},{"status":"affected","version":"0","lessThan":"2.6.11","versionType":"custom"}],"defaultStatus":"unaffected"}],"descriptions":[{"lang":"en","value":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast\n-DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList\n.base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s\nequence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. \nNo authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS \nlimit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t\nhe issue.","supportingMedia":[{"type":"text/html","base64":false,"value":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists\n in Fast-DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (\n`gapList.base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts milli\nons of sequence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termi\nnation. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without\n an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11\n patch the issue."}]}],"references":[{"url":"https://security-tracker.debian.org/tracker/CVE-2025-64438"},{"url":"https://github.com/eProsima/Fast-DDS/commit/0b0cb308eaeeb2175694aa0a0a723106824ce9a7"},{"url":"https://github.com/eProsima/Fast-DDS/commit/71da01b4aea4d937558984f2cf0089f5ba3c871f"},{"url":"https://github.com/eProsima/Fast-DDS/commit/8ca016134dac20b6e30e42b7b73466ef7cdbc213"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}],"cvssV4_0":{"version":"4.0","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","subIntegrityImpact":"NONE","vulnAvailabilityImpact":"LOW","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED","baseSeverity":"LOW","baseScore":1.7,"vectorString":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"}}],"source":{"discovery":"UNKNOWN"},"x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-02-03T20:30:43.758529Z","id":"CVE-2025-64438","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-02-03T20:30:50.310Z"}}]}}