CVE-2025-64098 Overview
CVE-2025-64098 is an Integer Overflow vulnerability affecting eProsima Fast DDS, a C++ implementation of the Data Distribution Service (DDS) standard from the Object Management Group (OMG). When security mode is enabled, an attacker can exploit this vulnerability by modifying the DATA Submessage within an SPDP (Simple Participant Discovery Protocol) packet. By tampering with the vecsize value read by the readOctetVector function in PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN fields, a 32-bit integer overflow can occur. This causes std::vector::resize to request an attacker-controlled memory allocation size, rapidly triggering an Out-Of-Memory (OOM) condition and remote process termination.
Critical Impact
Remote attackers can cause denial of service by terminating Fast DDS processes through crafted SPDP packets when security mode is enabled.
Affected Products
- eProsima Fast DDS versions prior to 3.4.1
- eProsima Fast DDS versions prior to 3.3.1
- eProsima Fast DDS versions prior to 2.6.11
Discovery Timeline
- 2026-02-03 - CVE-2025-64098 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2025-64098
Vulnerability Analysis
The vulnerability exists in Fast DDS's handling of CDR (Common Data Representation) message parsing when security features are enabled. The core issue lies in the readOctetVector function which reads a vecsize value from incoming network data without proper validation against integer overflow conditions. When processing SPDP discovery packets containing PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN parameters, the library uses this untrusted size value directly in memory allocation operations.
The flaw is classified as CWE-125 (Out-of-bounds Read), though the practical impact manifests as a memory exhaustion denial of service. An attacker with network access can craft malicious SPDP packets with tampered vecsize values that, when processed, cause a 32-bit integer overflow. This results in the std::vector::resize function attempting to allocate an enormous amount of memory based on the corrupted size calculation, leading to rapid OOM conditions and process termination.
Root Cause
The root cause is insufficient validation of the plength parameter and vector size values before using them in memory operations. The original code performed arithmetic operations on 32-bit integers without checking for overflow conditions, and position updates were not properly bounded against the message length. The vulnerable code path also used bitwise AND operations (&=) for validation checks which could mask failures in certain conditions.
Attack Vector
The attack is network-based and requires the target Fast DDS instance to have security mode enabled. An attacker sends specially crafted SPDP packets to the DDS discovery multicast or unicast addresses. The malicious packets contain manipulated DATA Submessages where the vecsize field in identity or permissions tokens is set to trigger integer overflow during the vector resize operation. No authentication is required as the attack targets the discovery protocol layer before security handshakes complete.
// Security patch in src/cpp/fastdds/core/policy/ParameterList.cpp
// Source: https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b
while (msg.pos < msg.length)
{
valid = true;
- valid &= rtps::CDRMessage::readUInt16(&msg, &pid);
- valid &= rtps::CDRMessage::readUInt16(&msg, &plength);
+ valid = valid && rtps::CDRMessage::readUInt16(&msg, &pid);
+ valid = valid && rtps::CDRMessage::readUInt16(&msg, &plength);
if (!valid || (pid == PID_SENTINEL))
{
break;
}
if (pid == search_pid)
{
- valid &= rtps::CDRMessage::readData(&msg, guid.guidPrefix.value,
+ valid = valid && rtps::CDRMessage::readData(&msg, guid.guidPrefix.value,
rtps::GuidPrefix_t::size);
- valid &= rtps::CDRMessage::readData(&msg, guid.entityId.value, rtps::EntityId_t::size);
+ valid = valid && rtps::CDRMessage::readData(&msg, guid.entityId.value, rtps::EntityId_t::size);
return valid;
}
- msg.pos += (plength + 3) & ~3;
+ uint64_t aligned_length = (static_cast<uint64_t>(plength) + 3u) & ~3u;
+ uint64_t new_pos = static_cast<uint64_t>(msg.pos) + aligned_length;
+ if (new_pos > static_cast<uint64_t>(msg.length))
+ {
+ new_pos = msg.length;
+ }
+ msg.pos = static_cast<uint32_t>(new_pos);
}
return false;
Detection Methods for CVE-2025-64098
Indicators of Compromise
- Abnormal memory consumption spikes in Fast DDS processes without corresponding legitimate traffic increases
- Fast DDS process crashes or unexpected terminations with OOM-related error messages
- Unusual SPDP packet patterns with malformed or oversized DATA Submessage fields
- Network traffic containing SPDP packets with anomalous PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN parameter lengths
Detection Strategies
- Monitor DDS discovery traffic for SPDP packets with unusually large vector size fields in security tokens
- Implement network intrusion detection rules to flag CDR messages with vecsize values approaching 32-bit integer boundaries
- Deploy application-level monitoring to track memory allocation patterns in Fast DDS processes
- Configure process monitoring to alert on rapid memory growth or OOM killer invocations for DDS services
Monitoring Recommendations
- Enable memory usage alerts for Fast DDS processes with thresholds appropriate to your deployment
- Log and analyze SPDP discovery traffic patterns to establish baselines and detect anomalies
- Implement process restart monitoring to detect repeated crash-restart cycles indicative of active exploitation
- Consider network segmentation to isolate DDS discovery traffic from untrusted network segments
How to Mitigate CVE-2025-64098
Immediate Actions Required
- Upgrade to Fast DDS version 3.4.1, 3.3.1, or 2.6.11 depending on your deployment branch
- If immediate patching is not possible, consider temporarily disabling DDS security mode if acceptable for your threat model
- Implement network-level filtering to restrict SPDP traffic to trusted sources only
- Monitor affected systems for signs of exploitation attempts while planning upgrade paths
Patch Information
eProsima has released patched versions that address this vulnerability. The fix implements proper bounds checking using 64-bit arithmetic for position calculations and adds validation to ensure vector sizes do not exceed available message data. The patches are available in versions 3.4.1, 3.3.1, and 2.6.11. For detailed code changes, see the GitHub commit for version 3.4.x, GitHub commit for version 3.3.x, and GitHub commit for version 2.6.x.
Workarounds
- Restrict network access to DDS discovery ports using firewall rules to limit exposure to trusted participants only
- Deploy Fast DDS instances behind network segmentation boundaries that prevent untrusted access to multicast discovery traffic
- Implement resource limits (e.g., cgroups, ulimits) on Fast DDS processes to contain the impact of memory exhaustion attempts
- Consider using unicast discovery with explicit peer lists instead of multicast discovery to reduce attack surface
# Example: Restrict DDS discovery traffic with iptables
# Allow SPDP multicast only from trusted subnet
iptables -A INPUT -p udp --dport 7400 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p udp --dport 7400 -j DROP
# Set memory limits for Fast DDS process using systemd
# Add to service file [Service] section:
# MemoryMax=2G
# MemoryHigh=1.5G
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
