CVE-2025-62600 Overview
CVE-2025-62600 is an integer overflow vulnerability in Fast DDS, eProsima's C++ implementation of the Data Distribution Service (DDS) standard from the Object Management Group (OMG). When security mode is enabled, an attacker can exploit this flaw by modifying the DATA Submessage within an SPDP (Simple Participant Discovery Protocol) packet, causing an Out-Of-Memory (OOM) condition that results in remote termination of the Fast-DDS service.
The vulnerability specifically targets the PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN fields in the DATA Submessage. By tampering with the length field in readBinaryPropertySeq, an attacker can trigger an integer overflow that leads to memory exhaustion during the resize operation.
Critical Impact
Remote attackers can cause denial of service by crashing Fast DDS instances when security mode is enabled through malformed SPDP packets.
Affected Products
- Fast DDS versions prior to 3.4.1
- Fast DDS versions prior to 3.3.1
- Fast DDS versions prior to 2.6.11
Discovery Timeline
- February 3, 2026 - CVE-2025-62600 published to NVD
- February 4, 2026 - Last updated in NVD database
Technical Details for CVE-2025-62600
Vulnerability Analysis
This vulnerability exists in the message parsing logic of Fast DDS's CDRMessage handling. When processing parameter lists from incoming SPDP packets, the code performs arithmetic operations on length fields without adequate bounds checking. The flaw manifests in the readBinaryPropertySeq function when processing identity and permission tokens.
The vulnerable code path involves reading a 16-bit length value (plength) and using it to calculate buffer positions. The original implementation performed alignment calculations using 32-bit arithmetic, which could wrap around when presented with carefully crafted length values. This integer overflow then propagates to memory allocation routines, causing the application to attempt massive memory allocations that exhaust available resources.
The vulnerability is classified as CWE-125 (Out-of-bounds Read), though the primary impact is denial of service through memory exhaustion rather than data disclosure.
Root Cause
The root cause is insufficient validation of length fields in the CDRMessage parsing routines. The vulnerable code calculated aligned lengths using the expression msg.pos += (plength + 3) & ~3; without first verifying that the resulting position would remain within bounds. This allowed attackers to supply malformed length values that cause integer overflow when combined with the current message position.
Additionally, the validation operators in parameter list parsing used bitwise AND (&=) for boolean validation, which does not short-circuit on failure, potentially allowing continued processing of malformed data.
Attack Vector
An attacker exploiting this vulnerability must be able to send specially crafted SPDP packets to a Fast DDS participant with security mode enabled. The attack involves:
- Intercepting or crafting an SPDP discovery packet
- Modifying the PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN parameters
- Setting the length field to a value that will cause integer overflow when aligned
- Sending the malformed packet to the target Fast DDS instance
The vulnerability is network-accessible but requires specific preconditions (security mode enabled) for exploitation.
// Vulnerable code pattern in ParameterList.cpp (before fix)
// The length calculation could overflow with malicious plength values
while (msg.pos < msg.length)
{
valid = true;
valid &= rtps::CDRMessage::readUInt16(&msg, &pid);
valid &= rtps::CDRMessage::readUInt16(&msg, &plength);
// ...
msg.pos += (plength + 3) & ~3; // Vulnerable: no bounds check
}
Source: GitHub Commit Fix
Detection Methods for CVE-2025-62600
Indicators of Compromise
- Unexpected Fast DDS process termination or crashes
- Memory exhaustion alerts from systems running Fast DDS applications
- Large or unusual SPDP packets on DDS discovery multicast addresses (typically 239.255.0.1)
- Abnormal memory allocation patterns in Fast DDS processes before crash
Detection Strategies
- Monitor Fast DDS process memory usage for sudden spikes or allocation failures
- Implement network traffic analysis for malformed SPDP packets with unusually large length fields in token parameters
- Configure system-level OOM killer logging to track Fast DDS process terminations
- Deploy application-level health checks that detect and alert on unexpected service restarts
Monitoring Recommendations
- Enable memory resource limits (cgroups/ulimits) for Fast DDS processes to contain potential OOM impact
- Implement watchdog monitoring for critical Fast DDS services with automatic restart capabilities
- Set up network intrusion detection rules to flag SPDP packets with anomalous parameter lengths
- Log and alert on DDS participant discovery failures that may indicate exploitation attempts
How to Mitigate CVE-2025-62600
Immediate Actions Required
- Upgrade Fast DDS to version 3.4.1, 3.3.1, or 2.6.11 (depending on your major version branch)
- If immediate patching is not possible, consider temporarily disabling security mode if the risk profile allows
- Implement network segmentation to limit exposure of DDS discovery traffic to trusted networks only
- Apply memory limits to Fast DDS processes to prevent system-wide impact from OOM conditions
Patch Information
eProsima has released patched versions that address this vulnerability:
| Branch | Fixed Version |
|---|---|
| 3.4.x | 3.4.1 |
| 3.3.x | 3.3.1 |
| 2.6.x | 2.6.11 |
The fix introduces proper bounds checking in the CDRMessage parsing logic and adds a new wrap_from_other_message helper function that safely handles message wrapping with length validation. The patched code uses 64-bit arithmetic for length calculations and explicitly validates that the new position does not exceed message boundaries.
For detailed technical changes, see the GitHub Commit Fix.
Workarounds
- Restrict network access to DDS discovery ports using firewall rules to allow only trusted participants
- Deploy Fast DDS instances behind network segments that filter external SPDP traffic
- Configure process-level memory limits using cgroups or container resource constraints to prevent system-wide OOM
- Consider using DDS over secure tunnels (VPN/TLS) to limit exposure to untrusted network traffic
// Fixed code pattern in ParameterList.cpp (after patch)
// Uses 64-bit arithmetic and explicit bounds checking
while (msg.pos < msg.length)
{
valid = true;
valid = valid && rtps::CDRMessage::readUInt16(&msg, &pid);
valid = valid && rtps::CDRMessage::readUInt16(&msg, &plength);
// ...
uint64_t aligned_length = (static_cast<uint64_t>(plength) + 3u) & ~3u;
uint64_t new_pos = static_cast<uint64_t>(msg.pos) + aligned_length;
if (new_pos > static_cast<uint64_t>(msg.length))
{
new_pos = msg.length;
}
msg.pos = static_cast<uint32_t>(new_pos);
}
Source: GitHub Commit Fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
