CVE-2025-62601 Overview
CVE-2025-62601 is a heap buffer overflow vulnerability affecting Fast DDS, the C++ implementation of the Data Distribution Service (DDS) standard by the Object Management Group (OMG). When security mode is enabled, an attacker can exploit this vulnerability by modifying DATA Submessages within SPDP packets sent by a publisher, leading to remote termination of the Fast-DDS process.
The vulnerability stems from improper handling of PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN fields in the DATA Submessage. By tampering with the str_size value read by the readString function (called from readBinaryProperty), an attacker can trigger a 32-bit integer overflow. This causes std::vector::resize to use an attacker-controlled size, quickly resulting in heap buffer overflow and remote process termination.
Critical Impact
Remote attackers can cause denial of service by crashing Fast-DDS processes through specially crafted SPDP network packets when security mode is enabled.
Affected Products
- Fast DDS versions prior to 3.4.1
- Fast DDS versions prior to 3.3.1
- Fast DDS versions prior to 2.6.11
Discovery Timeline
- 2026-02-03 - CVE CVE-2025-62601 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2025-62601
Vulnerability Analysis
This vulnerability is classified as CWE-122 (Heap-based Buffer Overflow). The issue manifests when Fast DDS processes SPDP (Simple Participant Discovery Protocol) packets with security mode enabled. The attack exploits the deserialization logic in the readString and readBinaryProperty functions that handle identity and permission token data.
When a maliciously crafted SPDP packet arrives, the str_size field within the PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN is read without adequate validation. An attacker can supply an oversized value that causes a 32-bit integer overflow during memory allocation calculations. This leads to the std::vector::resize function allocating an insufficient buffer based on the wrapped-around size value. Subsequent write operations then overflow the heap buffer, corrupting memory and causing process termination.
The attack can be executed remotely over the network, as SPDP is the discovery protocol used by DDS participants to find each other on the network. Since the vulnerability only manifests when security mode is enabled, systems relying on DDS security features for access control are paradoxically more vulnerable.
Root Cause
The root cause is insufficient validation of the str_size parameter in the binary property deserialization code path. The readString function, called by readBinaryProperty, accepts user-controlled size values from network packets without properly checking for integer overflow conditions before passing them to std::vector::resize. This allows 32-bit arithmetic wraparound to create an undersized buffer that is subsequently overflowed during data copy operations.
Attack Vector
The attack is network-based and requires the attacker to be able to send crafted UDP packets to a Fast DDS participant with security mode enabled. The attacker crafts a malicious SPDP packet containing a DATA Submessage with a manipulated str_size value in either the PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN fields.
The exploitation mechanism works as follows: the attacker constructs an SPDP announcement packet that appears to be from a legitimate publisher but contains tampered size fields. When the target Fast DDS instance processes this packet during participant discovery, the integer overflow triggers, leading to heap corruption and immediate process crash. No authentication is required to send these discovery packets on the network.
Detection Methods for CVE-2025-62601
Indicators of Compromise
- Unexpected Fast DDS process crashes or terminations on systems with security mode enabled
- Abnormal SPDP packet traffic with unusually large or malformed size fields
- Core dumps showing heap corruption in readString or readBinaryProperty functions
- Network traffic containing SPDP packets with anomalous PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN data lengths
Detection Strategies
- Monitor Fast DDS processes for unexpected restarts or crash patterns that may indicate exploitation attempts
- Implement network traffic analysis to identify malformed or anomalous SPDP discovery packets
- Deploy intrusion detection rules to flag SPDP packets with size fields exceeding expected boundaries
- Review system logs for segmentation faults or heap corruption errors in DDS applications
Monitoring Recommendations
- Enable process monitoring and alerting for Fast DDS application crashes
- Configure network monitoring to capture and analyze DDS/RTPS protocol traffic
- Implement memory protection mechanisms such as ASLR and heap guards to increase exploitation difficulty
- Log all participant discovery events to facilitate forensic analysis
How to Mitigate CVE-2025-62601
Immediate Actions Required
- Upgrade Fast DDS to patched versions 3.4.1, 3.3.1, or 2.6.11 immediately
- If immediate patching is not possible, consider temporarily disabling security mode if operational requirements permit
- Implement network segmentation to limit exposure of DDS endpoints to untrusted networks
- Deploy firewall rules to restrict SPDP/RTPS traffic to known, trusted participants
Patch Information
eProsima has released patched versions of Fast DDS that address this vulnerability:
- Version 3.4.1 for the 3.4.x branch
- Version 3.3.1 for the 3.3.x branch
- Version 2.6.11 for the 2.6.x branch
The patches add proper validation of size parameters before memory allocation to prevent integer overflow conditions. Detailed commit information is available:
For additional tracking, see the Debian CVE-2025-62601 Tracker.
Workarounds
- Deploy network-level filtering to block malformed SPDP packets at the perimeter
- Isolate DDS systems on dedicated network segments with strict access controls
- Consider disabling security mode temporarily if the functionality is not essential (note: this may reduce overall security posture)
- Implement process restart policies and watchdog mechanisms to maintain service availability during potential exploitation attempts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
