{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62799", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-10-22T18:55:48.012Z", "datePublished": "2026-02-03T19:26:22.397Z", "dateUpdated": "2026-02-03T20:40:35.185Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T19:26:22.397Z"}, "title": "FastDDS's heap buffer overflow in RTPS DATA_FRAG enables unauthenticated DoS (potential RCE)", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow", "type": "CWE"}]}], "affected": [{"vendor": "eProsima", "product": "Fast-DDS", "repo": "https://github.com/eProsima/Fast-DDS", "versions": [{"status": "affected", "version": "3.4.0", "lessThan": "3.4.1", "versionType": "custom"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.3.1", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.6.11", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An\n unauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are cr\nafted to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code wr\nites past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruptio\nn (RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."}]}], "references": [{"url": "https://security-tracker.debian.org/tracker/CVE-2025-62799"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "baseSeverity": "HIGH", "baseScore": 7.2, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T20:40:27.383841Z", "id": "CVE-2025-62799", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:40:35.185Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62799", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-03T20:40:27.383841Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T20:40:32.293Z"}}], "cna": {"title": "FastDDS's heap buffer overflow in RTPS DATA_FRAG enables unauthenticated DoS (potential RCE)", "source": {"discovery": "UNKNOWN"}, "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.2, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/eProsima/Fast-DDS", "vendor": "eProsima", "product": "Fast-DDS", "versions": [{"status": "affected", "version": "3.4.0", "lessThan": "3.4.1", "versionType": "custom"}, {"status": "affected", "version": "3.0.0", "lessThan": "3.3.1", "versionType": "custom"}, {"status": "affected", "version": "0", "lessThan": "2.6.11", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://security-tracker.debian.org/tracker/CVE-2025-62799"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46"}, {"url": "https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.", "supportingMedia": [{"type": "text/html", "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An\n unauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are cr\nafted to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code wr\nites past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruptio\nn (RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "CWE-122 Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-03T19:26:22.397Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62799", "state": "PUBLISHED", "dateUpdated": "2026-02-03T20:40:35.185Z", "dateReserved": "2025-10-22T18:55:48.012Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-03T19:26:22.397Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*", "matchCriteriaId": "8BAE40E0-6DFF-4878-9438-9C2488C9831C", "versionEndExcluding": "2.6.11", "vulnerable": true}, {"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*", "matchCriteriaId": "94A01F76-524F-4A5B-A782-CC789F229136", "versionEndExcluding": "3.3.1", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "D4452677-95AB-46F9-9B76-9F0B15E62261", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."}, {"lang": "es", "value": "Fast DDS es una implementaci\u00f3n en C++ del est\u00e1ndar DDS (Data Distribution Service) de la OMG (Object Management Group). Antes de las versiones 3.4.1, 3.3.1 y 2.6.11, existe un desbordamiento de b\u00fafer de pila en la ruta de recepci\u00f3n DATA_FRAG de Fast-DDS. Un remitente no autenticado puede transmitir un \u00fanico paquete RTPS DATA_FRAG malformado donde 'fragmentSize' y 'sampleSize' est\u00e1n manipulados para violar suposiciones internas. Debido a un paso de alineaci\u00f3n de 4 bytes durante la inicializaci\u00f3n de los metadatos del fragmento, el c\u00f3digo escribe m\u00e1s all\u00e1 del final del b\u00fafer de carga \u00fatil asignado, causando un fallo inmediato (DoS) y potencialmente permitiendo la corrupci\u00f3n de memoria (riesgo de RCE). Las versiones 3.4.1, 3.3.1 y 2.6.11 parchean el problema."}], "id": "CVE-2025-62799", "lastModified": "2026-02-18T16:11:20.163", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-03T20:15:56.983", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security-tracker.debian.org/tracker/CVE-2025-62799"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"created": "2026-02-04T12:05:40.685874+00:00", "updated": "2026-02-04T12:05:40.685910+00:00", "vendors": ["eprosima", "eprosima$PRODUCT$fast_dds"]}