{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62602", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-16T19:24:37.267Z", "datePublished": "2026-02-03T19:20:55.963Z", "dateUpdated": "2026-02-03T20:54:07.544Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T19:20:55.963Z"}, "title": "FastDDS has heap buffer overflow in readData via Manipulated DATA Submessage when DDS Security is enabled", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "type": "CWE"}]}], "affected": [{"vendor": "eProsima", "product": "Fast-DDS", "repo": "https://github.com/eProsima/Fast-DDS", "versions": [{"status": "affected", "version": "3.4.0", "lessThan": "3.4.1", "versionType": "custom"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.3.1", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.6.11", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields \nof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOctetVector`\n reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacker-contro\nlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca\ntion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. \nVersions 3.4.1, 3.3.1, and 2.6.11 patch the issue.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the\n fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOcte\ntVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacke\nr-controlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause larg\ne allocation attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termi\nnation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."}]}], "references": [{"url": "https://security-tracker.debian.org/tracker/CVE-2025-62602"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "baseSeverity": "LOW", "baseScore": 1.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T20:53:59.924429Z", "id": "CVE-2025-62602", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:54:07.544Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62602", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T20:53:59.924429Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:54:04.574Z"}}], "cna": {"title": "FastDDS has heap buffer overflow in readData via Manipulated DATA Submessage when DDS Security is enabled", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 1.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/eProsima/Fast-DDS", "vendor": "eProsima", "product": "Fast-DDS", "versions": [{"status": "affected", "version": "3.4.0", "lessThan": "3.4.1", "versionType": "custom"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.3.1", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.6.11", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://security-tracker.debian.org/tracker/CVE-2025-62602"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields \nof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOctetVector`\n reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacker-contro\nlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca\ntion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. \nVersions 3.4.1, 3.3.1, and 2.6.11 patch the issue.", "supportingMedia": [{"type": "text/html", "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the\n fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOcte\ntVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacke\nr-controlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause larg\ne allocation attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termi\nnation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T19:20:55.963Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62602", "state": "PUBLISHED", "dateUpdated": "2026-02-03T20:54:07.544Z", "dateReserved": "2025-10-16T19:24:37.267Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T19:20:55.963Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BAE40E0-6DFF-4878-9438-9C2488C9831C", "versionEndExcluding": "2.6.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*", "matchCriteriaId": "94A01F76-524F-4A5B-A782-CC789F229136", "versionEndExcluding": "3.3.1", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "D4452677-95AB-46F9-9B76-9F0B15E62261", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields \nof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOctetVector`\n reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacker-contro\nlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca\ntion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. \nVersions 3.4.1, 3.3.1, and 2.6.11 patch the issue."}, {"lang": "es", "value": "Fast DDS es una implementaci\u00f3n en C++ del est\u00e1ndar DDS (Data Distribution Service) de la OMG (Object Management Group). Antes de las versiones 3.4.1, 3.3.1 y 2.6.11, cuando el modo de seguridad est\u00e1 habilitado, modificar el Submensaje DATA dentro de un paquete SPDP enviado por un publicador causa un desbordamiento de b\u00fafer de pila, lo que resulta en la terminaci\u00f3n remota de Fast-DDS. Si los campos de `PID_IDENTITY_TOKEN` o `PID_PERMISSIONS_TOKEN` en el Submensaje DATA son manipulados \u2014 especialmente `readOctetVector` lee un `vecsize` no verificado que se propaga sin cambios a `readData` como el par\u00e1metro `length` \u2014 el `vecsize` controlado por el atacante puede desencadenar un desbordamiento de entero de 32 bits durante el c\u00e1lculo de `length`. Ese desbordamiento puede causar un intento de asignaci\u00f3n grande que r\u00e1pidamente lleva a OOM, habilitando una denegaci\u00f3n de servicio activable remotamente y la terminaci\u00f3n remota del proceso. Las versiones 3.4.1, 3.3.1 y 2.6.11 corrigen el problema."}], "id": "CVE-2025-62602", "lastModified": "2026-02-18T16:12:00.127", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.7, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T20:15:56.640", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2025-62602"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}