CVE-2025-64438 Overview
CVE-2025-64438 is a remotely triggerable Out-of-Memory (OOM) denial-of-service vulnerability in Fast DDS, a C++ implementation of the DDS (Data Distribution Service) standard from eProsima. The vulnerability exists in the RTPS GAP submessage processing under RELIABLE QoS configurations. By sending a specially crafted GAP packet with an extremely large gap range, an unauthenticated attacker can cause unbounded memory allocation, leading to process termination.
The vulnerability is classified as CWE-835 (Loop with Unreachable Exit Condition), as the StatefulReader::processGapMsg() function enters an unbounded loop when processing malicious GAP submessages. This loop inserts millions of sequence numbers into the WriterProxy::changes_received_ data structure (implemented as a std::set), causing multi-gigabyte heap growth that can exhaust available system memory.
Critical Impact
Unauthenticated remote attackers can crash Fast DDS applications by sending a single malicious RTPS GAP packet, causing memory exhaustion up to ~64 GB in environments without RSS limits.
Affected Products
- Fast DDS versions prior to 3.4.1
- Fast DDS versions prior to 3.3.1
- Fast DDS versions prior to 2.6.11
Discovery Timeline
- 2026-02-03 - CVE-2025-64438 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2025-64438
Vulnerability Analysis
The vulnerability resides in the RTPS (Real-Time Publish-Subscribe) protocol implementation within Fast DDS. When a StatefulReader receives a GAP submessage, it processes the gap range specified by gapStart and gapList.base(). The vulnerable code iterates through all sequence numbers in this range without any bounds checking or limit enforcement.
An attacker can craft a minimal GAP packet specifying an enormous gap range (the difference between gapList.base and gapStart). This causes the processGapMsg() function to loop through potentially billions of sequence numbers, calling irrelevant_change_set() for each iteration. Each call inserts an entry into the changes_received_ set, causing continuous heap allocation until the system runs out of memory.
The attack requires no authentication beyond network reachability to the DDS reader on the target DDS domain, making it particularly dangerous in networked environments where DDS is used for real-time data distribution.
Root Cause
The root cause is the absence of input validation on the gap range size in RTPS GAP submessage processing. The vulnerable code directly uses attacker-controlled values (gapStart and gapList.base()) to determine the iteration count of a loop without verifying that the resulting range is reasonable. This allows an attacker to specify an arbitrarily large range with minimal packet overhead, triggering excessive memory allocation in a tight loop with no exit condition other than completing all iterations.
Attack Vector
The attack can be executed remotely over the network by any entity with network connectivity to a Fast DDS endpoint:
- Attacker identifies a DDS domain with Fast DDS readers configured with RELIABLE QoS
- Attacker crafts a malicious RTPS GAP submessage with a minimal gapStart and a very large gapList.base value
- The single small packet is sent to the target reader endpoint
- The vulnerable StatefulReader::processGapMsg() function processes the GAP and enters the unbounded loop
- Memory consumption grows rapidly as sequence numbers are inserted into the std::set
- The target process is terminated due to OOM conditions or system instability occurs
// Vulnerable code pattern (before patch) in StatefulReader.cpp
// The loop iterates from gapStart to gapList.base() without bounds checking
if (acceptMsgFrom(writerGUID, &pWP) && pWP)
{
// TODO (Miguel C): Refactor this inside WriterProxy
SequenceNumber_t auxSN;
SequenceNumber_t finalSN = gapList.base();
History::const_iterator history_iterator = history_->changesBegin();
for (auxSN = gapStart; auxSN < finalSN; auxSN++)
{
if (pWP->irrelevant_change_set(auxSN))
{
CacheChange_t* to_remove = nullptr;
auto ret_iterator = find_cache_in_fragmented_process(auxSN, pWP->guid(), to_remove, history_iterator);
if (to_remove != nullptr)
{
// we called the History version to avoid callbacks
history_iterator = history_->History::remove_change_nts(ret_iterator);
}
else if (ret_iterator != history_->changesEnd())
{
history_iterator = ret_iterator;
}
}
}
// ... additional vulnerable loop via gapList.for_each()
}
Source: GitHub Fast-DDS Commit
Detection Methods for CVE-2025-64438
Indicators of Compromise
- Sudden and rapid memory consumption growth in Fast DDS application processes
- Process crashes or OOM killer terminations of DDS-related services
- Anomalous RTPS GAP submessages with unusually large sequence number ranges in network traffic
- System log entries indicating memory allocation failures or OOM conditions for DDS processes
Detection Strategies
- Monitor memory usage patterns for Fast DDS processes and alert on abnormal growth rates
- Implement network-level inspection for RTPS traffic to detect GAP submessages with suspicious gap ranges
- Deploy application-level logging to capture GAP submessage processing statistics and flag outliers
- Configure system resource limits (ulimit, cgroups) to detect and contain memory exhaustion attempts
Monitoring Recommendations
- Set up memory usage thresholds and alerts for all Fast DDS application processes
- Enable DDS domain traffic capture and analysis for anomaly detection in RTPS protocol messages
- Monitor system logs for OOM killer activity targeting DDS-related processes
- Implement network flow analysis to identify potential DoS attack patterns targeting DDS endpoints
How to Mitigate CVE-2025-64438
Immediate Actions Required
- Upgrade Fast DDS to patched versions: 3.4.1, 3.3.1, or 2.6.11 depending on your branch
- Implement network segmentation to restrict access to DDS domain endpoints from untrusted networks
- Configure process resource limits (RSS limits) to prevent system-wide impact from memory exhaustion
- Monitor Fast DDS processes for anomalous memory consumption patterns
Patch Information
eProsima has released security patches for CVE-2025-64438 in Fast DDS versions 3.4.1, 3.3.1, and 2.6.11. The fix refactors the GAP message processing logic to eliminate the unbounded loop. Instead of iterating through each sequence number individually, the patched code uses a more efficient callback-based approach that prevents excessive memory allocation.
The patches are available through the following commits:
Additional tracking information is available at the Debian CVE-2025-64438 Tracker.
Workarounds
- Restrict network access to DDS domain participants using firewall rules or network ACLs
- Implement process-level memory limits using ulimit -v or cgroups to contain memory exhaustion impact
- Deploy DDS over secure transport with authentication to reduce unauthenticated attack surface
- Consider using BEST_EFFORT QoS instead of RELIABLE where application requirements permit (vulnerability affects RELIABLE QoS)
# Configuration example - Set memory limits for Fast DDS processes
# Using ulimit to restrict virtual memory (in KB)
ulimit -v 4194304 # Limit to 4GB virtual memory
# Using cgroups for container-based deployments
# Create a cgroup with memory limit
cgcreate -g memory:/fastdds_limited
echo "4294967296" > /sys/fs/cgroup/memory/fastdds_limited/memory.limit_in_bytes
# Run Fast DDS application within the cgroup
cgexec -g memory:fastdds_limited ./your_dds_application
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
