Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
29876 vulnerabilities found for debian_linux by debian
CVE-2025-63261 (GCVE-0-2025-63261)
Vulnerability from nvd – Published: 2026-03-20 00:00 – Updated: 2026-03-25 22:10
VLAI?
Summary
AWStats 8.0 is vulnerable to Command Injection via the open function
Severity ?
7.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-63261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T14:09:17.275357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T14:09:43.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-25T22:10:36.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AWStats 8.0 is vulnerable to Command Injection via the open function"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:07:58.941Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/eldy/AWStats/blob/develop/wwwroot/cgi-bin/awstats.pl"
},
{
"url": "https://pentest-tools.com/PTT-2025-021-Code-Execution-in-AWStats.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-63261",
"datePublished": "2026-03-20T00:00:00.000Z",
"dateReserved": "2025-10-27T00:00:00.000Z",
"dateUpdated": "2026-03-25T22:10:36.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25506 (GCVE-0-2026-25506)
Vulnerability from nvd – Published: 2026-02-10 18:55 – Updated: 2026-02-17 18:17
VLAI?
Title
MUNGE has a buffer overflow in message unpacking allows key leakage and credential forgery
Summary
MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
Severity ?
7.7 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T19:12:47.174130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T19:13:33.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-17T18:17:47.022Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/10/3"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00015.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/17/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "munge",
"vendor": "dun",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.5, \u003c 0.5.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged\u0027s internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T18:55:57.708Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh"
},
{
"name": "https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812"
},
{
"name": "https://github.com/dun/munge/releases/tag/munge-0.5.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dun/munge/releases/tag/munge-0.5.18"
}
],
"source": {
"advisory": "GHSA-r9cr-jf4v-75gh",
"discovery": "UNKNOWN"
},
"title": "MUNGE has a buffer overflow in message unpacking allows key leakage and credential forgery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25506",
"datePublished": "2026-02-10T18:55:57.708Z",
"dateReserved": "2026-02-02T18:21:42.486Z",
"dateUpdated": "2026-02-17T18:17:47.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64098 (GCVE-0-2025-64098)
Vulnerability from nvd – Published: 2026-02-03 19:29 – Updated: 2026-02-03 20:36
VLAI?
Title
FastDDS has Out-of-memory in readOctetVector via Manipulated DATA Submessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t
he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specifically by ta
mpering with the the `vecsize` value read by `readOctetVector` — a 32-bit integer overflow can occur, causing `std::vector
::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3
.3.1, and 2.6.11 patch the issue.
Severity ?
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:36:36.571960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:36:46.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.\u0026n\nbsp;If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specifical\nly by tampering with the the `vecsize` value read by `readOctetVector` \u2014 a 32-bit integer overflow can occur, causing `std\n::vector::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions \n3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t\nhe fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specifically by ta\nmpering with the the `vecsize` value read by `readOctetVector` \u2014 a 32-bit integer overflow can occur, causing `std::vector\n::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3\n.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:29:09.168Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-64098"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has Out-of-memory in readOctetVector via Manipulated DATA Submessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64098",
"datePublished": "2026-02-03T19:29:09.168Z",
"dateReserved": "2025-10-27T15:26:14.126Z",
"dateUpdated": "2026-02-03T20:36:46.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62799 (GCVE-0-2025-62799)
Vulnerability from nvd – Published: 2026-02-03 19:26 – Updated: 2026-02-03 20:40
VLAI?
Title
FastDDS's heap buffer overflow in RTPS DATA_FRAG enables unauthenticated DoS (potential RCE)
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un
authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft
ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write
s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (
RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
Severity ?
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62799",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:40:27.383841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:40:35.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An\n unauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are cr\nafted to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code wr\nites past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruptio\nn (RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:26:22.397Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62799"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS\u0027s heap buffer overflow in RTPS DATA_FRAG enables unauthenticated DoS (potential RCE)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62799",
"datePublished": "2026-02-03T19:26:22.397Z",
"dateReserved": "2025-10-22T18:55:48.012Z",
"dateUpdated": "2026-02-03T20:40:35.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62602 (GCVE-0-2025-62602)
Vulnerability from nvd – Published: 2026-02-03 19:20 – Updated: 2026-02-03 20:54
VLAI?
Title
FastDDS has heap buffer overflow in readData via Manipulated DATA Submessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields
of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially `readOctetVector`
reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro
lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca
tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination.
Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
Severity ?
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:53:59.924429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:54:07.544Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS.\u0026nbsp;If the\n fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOcte\ntVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacke\nr-controlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause larg\ne allocation attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termi\nnation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields \nof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOctetVector`\n reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacker-contro\nlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca\ntion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. \nVersions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:20:55.963Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62602"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has heap buffer overflow in readData via Manipulated DATA Submessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62602",
"datePublished": "2026-02-03T19:20:55.963Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-02-03T20:54:07.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62603 (GCVE-0-2025-62603)
Vulnerability from nvd – Published: 2026-02-03 19:23 – Updated: 2026-02-03 20:44
VLAI?
Title
FastDDS has Out-of-memory while parsing GenericMessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on
going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token
delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i
.e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed
sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),
string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat
es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s
o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,
delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n
umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal
header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi
ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p
atch the issue.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:44:04.457672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:44:12.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also\n ongoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and tok\nen delivery for newly appearing endpoints.\u0026nbsp;On receive, the CDR parser is invoked first and deserializes the `message_\ndata` (i.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \u2192 readDataHolderSeq` path.\u0026nbsp;The `DataHolderSe\nq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-\nDH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector).\u0026nbsp\n;The parser operates at a stateless level and does not know higher-layer state (for example, whether the handshake has alr\neady completed), so it fully unfolds the structure before distinguishing legitimate from malformed traffic.\u0026nbsp;Because R\nTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check \nidentity and sequence numbers before discarding or processing a message; the current implementation, however, does not \"p\neek\" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1,\n and 2.6.11, this parsing behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4\n.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on\ngoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token \ndelivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i\n.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \u2192 readDataHolderSeq` path. The `DataHolderSeq` is parsed \nsequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),\n string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat\nes at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s\no it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,\n delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n\numbers before discarding or processing a message; the current implementation, however, does not \"peek\" only at a minimal\n header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi\nng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p\natch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:23:38.191Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62603"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has Out-of-memory while parsing GenericMessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62603",
"datePublished": "2026-02-03T19:23:38.191Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-02-03T20:44:12.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62600 (GCVE-0-2025-62600)
Vulnerability from nvd – Published: 2026-02-03 19:11 – Updated: 2026-04-14 15:39
VLAI?
Title
eprosima Fast DDS affected by Out-of-Memory in readBinaryPropertySeq via Manipulated DATA Submessage when DDS Security is enabled
Summary
eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.
If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readBinaryPropertySeq— are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1.
Severity ?
8.6 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62600",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:39:24.495069Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:39:28.295Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-hvm8-mm7f-m6hc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.11"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.14.6"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.2.4"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.1"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.\nIf the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage \u2014 specifically by tampering with the length field in readBinaryPropertySeq\u2014 are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T18:04:15.722Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-hvm8-mm7f-m6hc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-hvm8-mm7f-m6hc"
}
],
"source": {
"advisory": "GHSA-hvm8-mm7f-m6hc",
"discovery": "UNKNOWN"
},
"title": "eprosima Fast DDS affected by Out-of-Memory in readBinaryPropertySeq via Manipulated DATA Submessage when DDS Security is enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62600",
"datePublished": "2026-02-03T19:11:19.429Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-04-14T15:39:28.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62599 (GCVE-0-2025-62599)
Vulnerability from nvd – Published: 2026-02-03 17:54 – Updated: 2026-04-09 18:02
VLAI?
Title
eprosima Fast DDS affected by Out-of-Memory in readPropertySeq via Manipulated DATA Submessage when DDS Security is enabled
Summary
eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.
If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1.
Severity ?
8.6 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:25.679617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:30.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.11"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.14.6"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.2.4"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.1"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.\nIf the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage \u2014 specifically by tampering with the length field in readPropertySeq \u2014 are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T18:02:46.243Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fc3f-wcj5-5cph",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fc3f-wcj5-5cph"
}
],
"source": {
"advisory": "GHSA-fc3f-wcj5-5cph",
"discovery": "UNKNOWN"
},
"title": "eprosima Fast DDS affected by Out-of-Memory in readPropertySeq via Manipulated DATA Submessage when DDS Security is enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62599",
"datePublished": "2026-02-03T17:54:49.511Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-04-09T18:02:46.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25061 (GCVE-0-2026-25061)
Vulnerability from nvd – Published: 2026-01-29 21:42 – Updated: 2026-02-10 20:14
VLAI?
Title
tcpflow has TIM Element OOB Write in wifipcap
Summary
tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25061",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:47:54.181992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:35:14.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-10T20:14:00.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tcpflow",
"vendor": "simsong",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.61"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T21:42:47.013Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6"
}
],
"source": {
"advisory": "GHSA-q5q6-frrv-9rj6",
"discovery": "UNKNOWN"
},
"title": "tcpflow has TIM Element OOB Write in wifipcap"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25061",
"datePublished": "2026-01-29T21:42:47.013Z",
"dateReserved": "2026-01-28T14:50:47.889Z",
"dateUpdated": "2026-02-10T20:14:00.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24765 (GCVE-0-2026-24765)
Vulnerability from nvd – Published: 2026-01-27 21:35 – Updated: 2026-02-06 12:09
VLAI?
Title
PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
Summary
PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control.
Severity ?
7.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sebastianbergmann | phpunit |
Affected:
< 8.5.52
Affected: >= 9.0.0, < 9.6.33 Affected: >= 10.0.0, < 10.5.62 Affected: >= 11.0.0, < 11.5.50 Affected: >= 12.0.0, < 12.5.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T21:13:53.775602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T21:14:01.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-06T12:09:45.308Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00009.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "phpunit",
"vendor": "sebastianbergmann",
"versions": [
{
"status": "affected",
"version": "\u003c 8.5.52"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.6.33"
},
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.5.62"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.5.50"
},
{
"status": "affected",
"version": "\u003e= 12.0.0, \u003c 12.5.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `[\u0027allowed_classes\u0027 =\u003e false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T21:35:54.292Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33"
}
],
"source": {
"advisory": "GHSA-vvj3-c3rp-c85p",
"discovery": "UNKNOWN"
},
"title": "PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24765",
"datePublished": "2026-01-27T21:35:54.292Z",
"dateReserved": "2026-01-26T21:06:47.867Z",
"dateUpdated": "2026-02-06T12:09:45.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-63261 (GCVE-0-2025-63261)
Vulnerability from cvelistv5 – Published: 2026-03-20 00:00 – Updated: 2026-03-25 22:10
VLAI?
Summary
AWStats 8.0 is vulnerable to Command Injection via the open function
Severity ?
7.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-63261",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T14:09:17.275357Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T14:09:43.048Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-03-25T22:10:36.546Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2026/03/msg00013.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AWStats 8.0 is vulnerable to Command Injection via the open function"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T20:07:58.941Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/eldy/AWStats/blob/develop/wwwroot/cgi-bin/awstats.pl"
},
{
"url": "https://pentest-tools.com/PTT-2025-021-Code-Execution-in-AWStats.pdf"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-63261",
"datePublished": "2026-03-20T00:00:00.000Z",
"dateReserved": "2025-10-27T00:00:00.000Z",
"dateUpdated": "2026-03-25T22:10:36.546Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25506 (GCVE-0-2026-25506)
Vulnerability from cvelistv5 – Published: 2026-02-10 18:55 – Updated: 2026-02-17 18:17
VLAI?
Title
MUNGE has a buffer overflow in message unpacking allows key leakage and credential forgery
Summary
MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
Severity ?
7.7 (High)
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25506",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T19:12:47.174130Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T19:13:33.822Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-17T18:17:47.022Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/10/3"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00015.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2026/02/17/6"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "munge",
"vendor": "dun",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.5, \u003c 0.5.18"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged\u0027s internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T18:55:57.708Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh"
},
{
"name": "https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812"
},
{
"name": "https://github.com/dun/munge/releases/tag/munge-0.5.18",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/dun/munge/releases/tag/munge-0.5.18"
}
],
"source": {
"advisory": "GHSA-r9cr-jf4v-75gh",
"discovery": "UNKNOWN"
},
"title": "MUNGE has a buffer overflow in message unpacking allows key leakage and credential forgery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25506",
"datePublished": "2026-02-10T18:55:57.708Z",
"dateReserved": "2026-02-02T18:21:42.486Z",
"dateUpdated": "2026-02-17T18:17:47.022Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64098 (GCVE-0-2025-64098)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:29 – Updated: 2026-02-03 20:36
VLAI?
Title
FastDDS has Out-of-memory in readOctetVector via Manipulated DATA Submessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t
he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specifically by ta
mpering with the the `vecsize` value read by `readOctetVector` — a 32-bit integer overflow can occur, causing `std::vector
::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3
.3.1, and 2.6.11 patch the issue.
Severity ?
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64098",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:36:36.571960Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:36:46.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.\u0026n\nbsp;If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specifical\nly by tampering with the the `vecsize` value read by `readOctetVector` \u2014 a 32-bit integer overflow can occur, causing `std\n::vector::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions \n3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t\nhe fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specifically by ta\nmpering with the the `vecsize` value read by `readOctetVector` \u2014 a 32-bit integer overflow can occur, causing `std::vector\n::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3\n.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:29:09.168Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-64098"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has Out-of-memory in readOctetVector via Manipulated DATA Submessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64098",
"datePublished": "2026-02-03T19:29:09.168Z",
"dateReserved": "2025-10-27T15:26:14.126Z",
"dateUpdated": "2026-02-03T20:36:46.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62799 (GCVE-0-2025-62799)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:26 – Updated: 2026-02-03 20:40
VLAI?
Title
FastDDS's heap buffer overflow in RTPS DATA_FRAG enables unauthenticated DoS (potential RCE)
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un
authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft
ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write
s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (
RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
Severity ?
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62799",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:40:27.383841Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:40:35.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An\n unauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are cr\nafted to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code wr\nites past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruptio\nn (RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:26:22.397Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62799"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS\u0027s heap buffer overflow in RTPS DATA_FRAG enables unauthenticated DoS (potential RCE)",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62799",
"datePublished": "2026-02-03T19:26:22.397Z",
"dateReserved": "2025-10-22T18:55:48.012Z",
"dateUpdated": "2026-02-03T20:40:35.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62603 (GCVE-0-2025-62603)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:23 – Updated: 2026-02-03 20:44
VLAI?
Title
FastDDS has Out-of-memory while parsing GenericMessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on
going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token
delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i
.e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed
sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),
string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat
es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s
o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,
delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n
umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal
header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi
ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p
atch the issue.
Severity ?
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62603",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:44:04.457672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:44:12.618Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also\n ongoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and tok\nen delivery for newly appearing endpoints.\u0026nbsp;On receive, the CDR parser is invoked first and deserializes the `message_\ndata` (i.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \u2192 readDataHolderSeq` path.\u0026nbsp;The `DataHolderSe\nq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-\nDH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector).\u0026nbsp\n;The parser operates at a stateless level and does not know higher-layer state (for example, whether the handshake has alr\neady completed), so it fully unfolds the structure before distinguishing legitimate from malformed traffic.\u0026nbsp;Because R\nTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check \nidentity and sequence numbers before discarding or processing a message; the current implementation, however, does not \"p\neek\" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1,\n and 2.6.11, this parsing behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4\n.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on\ngoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token \ndelivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i\n.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \u2192 readDataHolderSeq` path. The `DataHolderSeq` is parsed \nsequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),\n string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat\nes at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s\no it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,\n delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n\numbers before discarding or processing a message; the current implementation, however, does not \"peek\" only at a minimal\n header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi\nng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p\natch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:23:38.191Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62603"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has Out-of-memory while parsing GenericMessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62603",
"datePublished": "2026-02-03T19:23:38.191Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-02-03T20:44:12.618Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62602 (GCVE-0-2025-62602)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:20 – Updated: 2026-02-03 20:54
VLAI?
Title
FastDDS has heap buffer overflow in readData via Manipulated DATA Submessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields
of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially `readOctetVector`
reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro
lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca
tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination.
Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
Severity ?
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62602",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-03T20:53:59.924429Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T20:54:07.544Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Fast-DDS",
"repo": "https://github.com/eProsima/Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"lessThan": "3.4.1",
"status": "affected",
"version": "3.4.0",
"versionType": "custom"
},
{
"lessThan": "3.3.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.6.11",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within \nan SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS.\u0026nbsp;If the\n fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOcte\ntVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacke\nr-controlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause larg\ne allocation attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termi\nnation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields \nof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOctetVector`\n reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacker-contro\nlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca\ntion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. \nVersions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 1.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-03T19:20:55.963Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62602"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FastDDS has heap buffer overflow in readData via Manipulated DATA Submessage when DDS Security is enabled",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62602",
"datePublished": "2026-02-03T19:20:55.963Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-02-03T20:54:07.544Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62600 (GCVE-0-2025-62600)
Vulnerability from cvelistv5 – Published: 2026-02-03 19:11 – Updated: 2026-04-14 15:39
VLAI?
Title
eprosima Fast DDS affected by Out-of-Memory in readBinaryPropertySeq via Manipulated DATA Submessage when DDS Security is enabled
Summary
eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.
If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readBinaryPropertySeq— are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1.
Severity ?
8.6 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62600",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T15:39:24.495069Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T15:39:28.295Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-hvm8-mm7f-m6hc"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.11"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.14.6"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.2.4"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.1"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.\nIf the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage \u2014 specifically by tampering with the length field in readBinaryPropertySeq\u2014 are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T18:04:15.722Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-hvm8-mm7f-m6hc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-hvm8-mm7f-m6hc"
}
],
"source": {
"advisory": "GHSA-hvm8-mm7f-m6hc",
"discovery": "UNKNOWN"
},
"title": "eprosima Fast DDS affected by Out-of-Memory in readBinaryPropertySeq via Manipulated DATA Submessage when DDS Security is enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62600",
"datePublished": "2026-02-03T19:11:19.429Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-04-14T15:39:28.295Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62599 (GCVE-0-2025-62599)
Vulnerability from cvelistv5 – Published: 2026-02-03 17:54 – Updated: 2026-04-09 18:02
VLAI?
Title
eprosima Fast DDS affected by Out-of-Memory in readPropertySeq via Manipulated DATA Submessage when DDS Security is enabled
Summary
eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.
If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1.
Severity ?
8.6 (High)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62599",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-04T15:46:25.679617Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-04T16:51:30.294Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fast-DDS",
"vendor": "eProsima",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.11"
},
{
"status": "affected",
"version": "\u003e= 2.7.0, \u003c 2.14.6"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.2.4"
},
{
"status": "affected",
"version": "\u003e= 3.3.0, \u003c 3.3.1"
},
{
"status": "affected",
"version": "\u003e= 3.4.0, \u003c 3.4.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.\nIf the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage \u2014 specifically by tampering with the length field in readPropertySeq \u2014 are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190: Integer Overflow or Wraparound",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Memory Allocation with Excessive Size Value",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T18:02:46.243Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fc3f-wcj5-5cph",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fc3f-wcj5-5cph"
}
],
"source": {
"advisory": "GHSA-fc3f-wcj5-5cph",
"discovery": "UNKNOWN"
},
"title": "eprosima Fast DDS affected by Out-of-Memory in readPropertySeq via Manipulated DATA Submessage when DDS Security is enabled"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62599",
"datePublished": "2026-02-03T17:54:49.511Z",
"dateReserved": "2025-10-16T19:24:37.267Z",
"dateUpdated": "2026-04-09T18:02:46.243Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25061 (GCVE-0-2026-25061)
Vulnerability from cvelistv5 – Published: 2026-01-29 21:42 – Updated: 2026-02-10 20:14
VLAI?
Title
tcpflow has TIM Element OOB Write in wifipcap
Summary
tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available.
Severity ?
CWE
- CWE-787 - Out-of-bounds Write
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25061",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-30T14:47:54.181992Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-02T16:35:14.092Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-10T20:14:00.298Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "tcpflow",
"vendor": "simsong",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.61"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-787",
"description": "CWE-787: Out-of-bounds Write",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T21:42:47.013Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6"
}
],
"source": {
"advisory": "GHSA-q5q6-frrv-9rj6",
"discovery": "UNKNOWN"
},
"title": "tcpflow has TIM Element OOB Write in wifipcap"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25061",
"datePublished": "2026-01-29T21:42:47.013Z",
"dateReserved": "2026-01-28T14:50:47.889Z",
"dateUpdated": "2026-02-10T20:14:00.298Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24765 (GCVE-0-2026-24765)
Vulnerability from cvelistv5 – Published: 2026-01-27 21:35 – Updated: 2026-02-06 12:09
VLAI?
Title
PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling
Summary
PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control.
Severity ?
7.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sebastianbergmann | phpunit |
Affected:
< 8.5.52
Affected: >= 9.0.0, < 9.6.33 Affected: >= 10.0.0, < 10.5.62 Affected: >= 11.0.0, < 11.5.50 Affected: >= 12.0.0, < 12.5.8 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24765",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T21:13:53.775602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T21:14:01.691Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-02-06T12:09:45.308Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00009.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "phpunit",
"vendor": "sebastianbergmann",
"versions": [
{
"status": "affected",
"version": "\u003c 8.5.52"
},
{
"status": "affected",
"version": "\u003e= 9.0.0, \u003c 9.6.33"
},
{
"status": "affected",
"version": "\u003e= 10.0.0, \u003c 10.5.62"
},
{
"status": "affected",
"version": "\u003e= 11.0.0, \u003c 11.5.50"
},
{
"status": "affected",
"version": "\u003e= 12.0.0, \u003c 12.5.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `[\u0027allowed_classes\u0027 =\u003e false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502: Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T21:35:54.292Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52"
},
{
"name": "https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33"
}
],
"source": {
"advisory": "GHSA-vvj3-c3rp-c85p",
"discovery": "UNKNOWN"
},
"title": "PHPUnit Vulnerable to Unsafe Deserialization in PHPT Code Coverage Handling"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24765",
"datePublished": "2026-01-27T21:35:54.292Z",
"dateReserved": "2026-01-26T21:06:47.867Z",
"dateUpdated": "2026-02-06T12:09:45.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
FKIE_CVE-2026-25506
Vulnerability from fkie_nvd - Published: 2026-02-10 19:16 - Updated: 2026-02-25 17:39
Severity ?
7.7 (High) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812 | Patch | |
| security-advisories@github.com | https://github.com/dun/munge/releases/tag/munge-0.5.18 | Product, Release Notes | |
| security-advisories@github.com | https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh | Mitigation, Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2026/02/10/3 | Mailing List, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2026/02/17/6 | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2026/02/msg00015.html | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| opensuse | munge | * | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:opensuse:munge:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8FA863EF-F766-4A77-8313-1AFC05928932",
"versionEndExcluding": "0.5.18",
"versionStartIncluding": "0.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged\u0027s internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18."
},
{
"lang": "es",
"value": "MUNGE es un servicio de autenticaci\u00f3n para crear y validar credenciales de usuario. Desde 0.5 hasta 0.5.17, un atacante local puede explotar una vulnerabilidad de desbordamiento de b\u00fafer en munged (el demonio de autenticaci\u00f3n de MUNGE) para filtrar material de clave criptogr\u00e1fica de la memoria del proceso. Con el material de clave filtrado, el atacante podr\u00eda falsificar credenciales MUNGE arbitrarias para suplantar a cualquier usuario (incluido root) a servicios que dependen de MUNGE para la autenticaci\u00f3n. La vulnerabilidad permite un desbordamiento de b\u00fafer al enviar un mensaje manipulado con un campo de longitud de direcci\u00f3n sobredimensionado, corrompiendo el estado interno de munged y permitiendo la extracci\u00f3n de la subclave MAC utilizada para la verificaci\u00f3n de credenciales. Esta vulnerabilidad se corrige en 0.5.18."
}
],
"id": "CVE-2026-25506",
"lastModified": "2026-02-25T17:39:03.170",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "LOW",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
},
"exploitabilityScore": 1.1,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-02-10T19:16:03.720",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/dun/munge/commit/bf40cc27c4ce8451d4b062c9de0b67ec40894812"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/dun/munge/releases/tag/munge-0.5.18"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/dun/munge/security/advisories/GHSA-r9cr-jf4v-75gh"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2026/02/10/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2026/02/17/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00015.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-64098
Vulnerability from fkie_nvd - Published: 2026-02-03 20:15 - Updated: 2026-02-18 16:15
Severity ?
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t
he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specifically by ta
mpering with the the `vecsize` value read by `readOctetVector` — a 32-bit integer overflow can occur, causing `std::vector
::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3
.3.1, and 2.6.11 patch the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eprosima | fast_dds | * | |
| eprosima | fast_dds | * | |
| eprosima | fast_dds | 3.4.0 | |
| debian | debian_linux | 11.0 | |
| debian | debian_linux | 12.0 | |
| debian | debian_linux | 13.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8BAE40E0-6DFF-4878-9438-9C2488C9831C",
"versionEndExcluding": "2.6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94A01F76-524F-4A5B-A782-CC789F229136",
"versionEndExcluding": "3.3.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D4452677-95AB-46F9-9B76-9F0B15E62261",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t\nhe fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specifically by ta\nmpering with the the `vecsize` value read by `readOctetVector` \u2014 a 32-bit integer overflow can occur, causing `std::vector\n::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3\n.3.1, and 2.6.11 patch the issue."
},
{
"lang": "es",
"value": "Fast DDS es una implementaci\u00f3n en C++ del est\u00e1ndar DDS (Data Distribution Service) de la OMG (Object Management Group). Antes de las versiones 3.4.1, 3.3.1 y 2.6.11, cuando el modo de seguridad est\u00e1 habilitado, modificar el Submensaje DATA dentro de un paquete SPDP enviado por un publicador causa una condici\u00f3n de Out-Of-Memory (OOM), lo que resulta en la terminaci\u00f3n remota de Fast-DDS. Si los campos de PID_IDENTITY_TOKEN o PID_PERMISSIONS_TOKEN en el Submensaje DATA son manipulados \u2014 espec\u00edficamente al manipular el valor vecsize le\u00eddo por readOctetVector \u2014 puede ocurrir un desbordamiento de entero de 32 bits, haciendo que std::vector::resize solicite un tama\u00f1o controlado por el atacante y desencadene r\u00e1pidamente OOM y la terminaci\u00f3n remota del proceso. Las versiones 3.4.1, 3.3.1 y 2.6.11 parchean el problema."
}
],
"id": "CVE-2025-64098",
"lastModified": "2026-02-18T16:15:29.683",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 1.7,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-03T20:15:57.127",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2025-64098"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
},
{
"lang": "en",
"value": "CWE-190"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-62799
Vulnerability from fkie_nvd - Published: 2026-02-03 20:15 - Updated: 2026-02-18 16:11
Severity ?
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un
authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft
ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write
s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (
RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eprosima | fast_dds | * | |
| eprosima | fast_dds | * | |
| eprosima | fast_dds | 3.4.0 | |
| debian | debian_linux | 11.0 | |
| debian | debian_linux | 12.0 | |
| debian | debian_linux | 13.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8BAE40E0-6DFF-4878-9438-9C2488C9831C",
"versionEndExcluding": "2.6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94A01F76-524F-4A5B-A782-CC789F229136",
"versionEndExcluding": "3.3.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D4452677-95AB-46F9-9B76-9F0B15E62261",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un\nauthenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft\ned to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write\ns past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (\nRCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
},
{
"lang": "es",
"value": "Fast DDS es una implementaci\u00f3n en C++ del est\u00e1ndar DDS (Data Distribution Service) de la OMG (Object Management Group). Antes de las versiones 3.4.1, 3.3.1 y 2.6.11, existe un desbordamiento de b\u00fafer de pila en la ruta de recepci\u00f3n DATA_FRAG de Fast-DDS. Un remitente no autenticado puede transmitir un \u00fanico paquete RTPS DATA_FRAG malformado donde \u0027fragmentSize\u0027 y \u0027sampleSize\u0027 est\u00e1n manipulados para violar suposiciones internas. Debido a un paso de alineaci\u00f3n de 4 bytes durante la inicializaci\u00f3n de los metadatos del fragmento, el c\u00f3digo escribe m\u00e1s all\u00e1 del final del b\u00fafer de carga \u00fatil asignado, causando un fallo inmediato (DoS) y potencialmente permitiendo la corrupci\u00f3n de memoria (riesgo de RCE). Las versiones 3.4.1, 3.3.1 y 2.6.11 parchean el problema."
}
],
"id": "CVE-2025-62799",
"lastModified": "2026-02-18T16:11:20.163",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-03T20:15:56.983",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62799"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-122"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-62602
Vulnerability from fkie_nvd - Published: 2026-02-03 20:15 - Updated: 2026-02-18 16:12
Severity ?
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields
of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially `readOctetVector`
reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro
lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca
tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination.
Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eprosima | fast_dds | * | |
| eprosima | fast_dds | * | |
| eprosima | fast_dds | 3.4.0 | |
| debian | debian_linux | 11.0 | |
| debian | debian_linux | 12.0 | |
| debian | debian_linux | 13.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8BAE40E0-6DFF-4878-9438-9C2488C9831C",
"versionEndExcluding": "2.6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94A01F76-524F-4A5B-A782-CC789F229136",
"versionEndExcluding": "3.3.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D4452677-95AB-46F9-9B76-9F0B15E62261",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an \nSPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields \nof `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with \u2014 specially `readOctetVector`\n reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter \u2014 the attacker-contro\nlled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca\ntion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. \nVersions 3.4.1, 3.3.1, and 2.6.11 patch the issue."
},
{
"lang": "es",
"value": "Fast DDS es una implementaci\u00f3n en C++ del est\u00e1ndar DDS (Data Distribution Service) de la OMG (Object Management Group). Antes de las versiones 3.4.1, 3.3.1 y 2.6.11, cuando el modo de seguridad est\u00e1 habilitado, modificar el Submensaje DATA dentro de un paquete SPDP enviado por un publicador causa un desbordamiento de b\u00fafer de pila, lo que resulta en la terminaci\u00f3n remota de Fast-DDS. Si los campos de `PID_IDENTITY_TOKEN` o `PID_PERMISSIONS_TOKEN` en el Submensaje DATA son manipulados \u2014 especialmente `readOctetVector` lee un `vecsize` no verificado que se propaga sin cambios a `readData` como el par\u00e1metro `length` \u2014 el `vecsize` controlado por el atacante puede desencadenar un desbordamiento de entero de 32 bits durante el c\u00e1lculo de `length`. Ese desbordamiento puede causar un intento de asignaci\u00f3n grande que r\u00e1pidamente lleva a OOM, habilitando una denegaci\u00f3n de servicio activable remotamente y la terminaci\u00f3n remota del proceso. Las versiones 3.4.1, 3.3.1 y 2.6.11 corrigen el problema."
}
],
"id": "CVE-2025-62602",
"lastModified": "2026-02-18T16:12:00.127",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 1.7,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-03T20:15:56.640",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62602"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-122"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2025-62603
Vulnerability from fkie_nvd - Published: 2026-02-03 20:15 - Updated: 2026-02-18 16:11
Severity ?
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on
going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token
delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i
.e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed
sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),
string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat
es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s
o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,
delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n
umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal
header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi
ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p
atch the issue.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eprosima | fast_dds | * | |
| eprosima | fast_dds | * | |
| eprosima | fast_dds | 3.4.0 | |
| debian | debian_linux | 11.0 | |
| debian | debian_linux | 12.0 | |
| debian | debian_linux | 13.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8BAE40E0-6DFF-4878-9438-9C2488C9831C",
"versionEndExcluding": "2.6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94A01F76-524F-4A5B-A782-CC789F229136",
"versionEndExcluding": "3.3.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D4452677-95AB-46F9-9B76-9F0B15E62261",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on\ngoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token \ndelivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i\n.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \u2192 readDataHolderSeq` path. The `DataHolderSeq` is parsed \nsequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),\n string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat\nes at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s\no it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,\n delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n\numbers before discarding or processing a message; the current implementation, however, does not \"peek\" only at a minimal\n header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi\nng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p\natch the issue."
},
{
"lang": "es",
"value": "Fast DDS es una implementaci\u00f3n en C++ del est\u00e1ndar DDS (Data Distribution Service) de la OMG (Object Management Group). ParticipantGenericMessage es el contenedor de mensajes de control de DDS Security que transporta no solo el handshake sino tambi\u00e9n el tr\u00e1fico de control de seguridad continuo despu\u00e9s del handshake, como el intercambio de cripto-tokens, el rekeying, la re-autenticaci\u00f3n y la entrega de tokens para los endpoints que aparecen recientemente. Al recibir, el analizador CDR se invoca primero y deserializa el \u0027message_data\u0027 (es decir, el \u0027DataHolderSeq\u0027) a trav\u00e9s de la ruta \u0027readParticipantGenericMessage ? readDataHolderSeq\u0027. El \u0027DataHolderSeq\u0027 se analiza secuencialmente: un recuento de secuencia (\u0027uint32\u0027), y para cada DataHolder la cadena \u0027class_id\u0027 (por ejemplo, \u0027DDS:Auth:PKI-DH:1.0+Req\u0027), propiedades de cadena (una secuencia de pares clave/valor), y propiedades binarias (un nombre m\u00e1s un vector de octetos). El analizador opera a un nivel sin estado y no conoce el estado de capas superiores (por ejemplo, si el handshake ya se ha completado), por lo que despliega completamente la estructura antes de distinguir el tr\u00e1fico leg\u00edtimo del malformado. Debido a que RTPS permite duplicados, retrasos y retransmisiones, un receptor debe realizar al menos un an\u00e1lisis estructural m\u00ednimo para verificar la identidad y los n\u00fameros de secuencia antes de descartar o procesar un mensaje; la implementaci\u00f3n actual, sin embargo, no \u0027echa un vistazo\u0027 solo a una cabecera m\u00ednima y en su lugar analiza todo el \u0027DataHolderSeq\u0027. Como resultado, antes de las versiones 3.4.1, 3.3.1 y 2.6.11, este comportamiento de an\u00e1lisis puede desencadenar una condici\u00f3n de falta de memoria y terminar el proceso de forma remota. Las versiones 3.4.1, 3.3.1 y 2.6.11 parchean el problema."
}
],
"id": "CVE-2025-62603",
"lastModified": "2026-02-18T16:11:42.930",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 1.7,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "UNREPORTED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-02-03T20:15:56.787",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
},
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security-tracker.debian.org/tracker/CVE-2025-62603"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-125"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2025-62600
Vulnerability from fkie_nvd - Published: 2026-02-03 19:16 - Updated: 2026-04-14 16:16
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.
If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readBinaryPropertySeq— are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eprosima | fast_dds | * | |
| eprosima | fast_dds | * | |
| eprosima | fast_dds | 3.4.0 | |
| debian | debian_linux | 11.0 | |
| debian | debian_linux | 12.0 | |
| debian | debian_linux | 13.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8BAE40E0-6DFF-4878-9438-9C2488C9831C",
"versionEndExcluding": "2.6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94A01F76-524F-4A5B-A782-CC789F229136",
"versionEndExcluding": "3.3.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D4452677-95AB-46F9-9B76-9F0B15E62261",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.\nIf the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage \u2014 specifically by tampering with the length field in readBinaryPropertySeq\u2014 are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1."
},
{
"lang": "es",
"value": "Fast DDS es una implementaci\u00f3n en C++ del est\u00e1ndar DDS (Data Distribution Service) de la OMG (Object Management Group). Antes de las versiones 3.4.1, 3.3.1 y 2.6.11, cuando el modo de seguridad est\u00e1 habilitado, modificar el Submensaje DATA dentro de un paquete SPDP enviado por un publicador causa una condici\u00f3n de falta de memoria (OOM), lo que resulta en la terminaci\u00f3n remota de Fast-DDS. Si los campos de PID_IDENTITY_TOKEN o PID_PERMISSION_TOKEN en el Submensaje DATA \u2014 espec\u00edficamente al manipular el campo de longitud en readBinaryPropertySeq \u2014 son modificados, ocurre un desbordamiento de entero, lo que lleva a una OOM durante la operaci\u00f3n de redimensionamiento. Las versiones 3.4.1, 3.3.1 y 2.6.11 aplican un parche al problema."
}
],
"id": "CVE-2025-62600",
"lastModified": "2026-04-14T16:16:31.990",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-02-03T19:16:14.170",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-hvm8-mm7f-m6hc"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-hvm8-mm7f-m6hc"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-190"
},
{
"lang": "en",
"value": "CWE-789"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-62599
Vulnerability from fkie_nvd - Published: 2026-02-03 18:16 - Updated: 2026-04-09 18:16
Severity ?
8.6 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.
If the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length field in readPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eprosima | fast_dds | * | |
| eprosima | fast_dds | * | |
| eprosima | fast_dds | 3.4.0 | |
| debian | debian_linux | 11.0 | |
| debian | debian_linux | 12.0 | |
| debian | debian_linux | 13.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8BAE40E0-6DFF-4878-9438-9C2488C9831C",
"versionEndExcluding": "2.6.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*",
"matchCriteriaId": "94A01F76-524F-4A5B-A782-CC789F229136",
"versionEndExcluding": "3.3.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D4452677-95AB-46F9-9B76-9F0B15E62261",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*",
"matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*",
"matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "eprosima Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS.\nIf the fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage \u2014 specifically by tampering with the length field in readPropertySeq \u2014 are modified, an integer overflow occurs, leading to an OOM during the resize operation. This vulnerability is fixed in 2.6.11, 2.14.6, 3.2.4, 3.3.1, and 3.4.1."
},
{
"lang": "es",
"value": "Fast DDS es una implementaci\u00f3n en C++ del est\u00e1ndar DDS (Data Distribution Service) del OMG (Object Management Group). Antes de las versiones 3.4.1, 3.3.1 y 2.6.11, cuando el modo de seguridad est\u00e1 habilitado, la modificaci\u00f3n del Submensaje DATA dentro de un paquete SPDP enviado por un publicador provoca una condici\u00f3n de falta de memoria (OOM), lo que resulta en la terminaci\u00f3n remota de Fast-DDS. Si se modifican los campos de PID_IDENTITY_TOKEN o PID_PERMISSION_TOKEN en el Submensaje DATA \u2014espec\u00edficamente al manipular el campo de longitud en readPropertySeq\u2014, se produce un desbordamiento de entero, lo que lleva a una OOM durante la operaci\u00f3n de redimensionamiento. Las versiones 3.4.1, 3.3.1 y 2.6.11 parchean el problema."
}
],
"id": "CVE-2025-62599",
"lastModified": "2026-04-09T18:16:41.830",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-02-03T18:16:15.073",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-fc3f-wcj5-5cph"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-190"
},
{
"lang": "en",
"value": "CWE-789"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
FKIE_CVE-2026-25061
Vulnerability from fkie_nvd - Published: 2026-01-29 22:15 - Updated: 2026-02-25 15:24
Severity ?
Summary
tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6 | Exploit, Mitigation, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html | Mailing List, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| digitalcorpora | tcpflow | * | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:digitalcorpora:tcpflow:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E2DE3D04-62BF-4CE6-BB8C-2AD5BFDFABAD",
"versionEndIncluding": "1.6.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available."
},
{
"lang": "es",
"value": "tcpflow es un demultiplexador de paquetes TCP/IP. En versiones hasta la 1.61 inclusive, wifipcap analiza los elementos de tramas de gesti\u00f3n 802.11 y realiza una comprobaci\u00f3n de longitud en el campo incorrecto al manejar el elemento TIM. Una trama manipulada con una longitud TIM grande puede causar una escritura fuera de l\u00edmites de 1 byte m\u00e1s all\u00e1 de \u0027tim.bitmap[251]\u0027. El desbordamiento es peque\u00f1o y DoS es el impacto probable; la ejecuci\u00f3n de c\u00f3digo es potencial, pero a\u00fan est\u00e1 en el aire. La estructura afectada est\u00e1 asignada en la pila en \u0027handle_beacon()\u0027 y controladores relacionados. En el momento de la publicaci\u00f3n, no hay parches conocidos disponibles."
}
],
"id": "CVE-2026-25061",
"lastModified": "2026-02-25T15:24:30.993",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-29T22:15:55.797",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00014.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2026-24765
Vulnerability from fkie_nvd - Published: 2026-01-27 22:15 - Updated: 2026-03-03 15:25
Severity ?
Summary
PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `['allowed_classes' => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| phpunit_project | phpunit | * | |
| phpunit_project | phpunit | * | |
| phpunit_project | phpunit | * | |
| phpunit_project | phpunit | * | |
| phpunit_project | phpunit | * | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:phpunit_project:phpunit:*:*:*:*:*:-:*:*",
"matchCriteriaId": "5D9FEAE5-A87C-4075-B6DC-891777C96DD8",
"versionEndExcluding": "8.5.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phpunit_project:phpunit:*:*:*:*:*:-:*:*",
"matchCriteriaId": "640B3B46-B435-42D9-9CD4-8FF9F0AF3B9A",
"versionEndExcluding": "9.6.33",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phpunit_project:phpunit:*:*:*:*:*:-:*:*",
"matchCriteriaId": "4C8CECCD-A520-48D3-9813-596887E7B75A",
"versionEndExcluding": "10.5.62",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phpunit_project:phpunit:*:*:*:*:*:-:*:*",
"matchCriteriaId": "8F2BC1CB-876F-443C-8B49-6B2900165493",
"versionEndExcluding": "11.5.50",
"versionStartIncluding": "11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:phpunit_project:phpunit:*:*:*:*:*:-:*:*",
"matchCriteriaId": "B2941A20-1ADB-41E7-B171-C138FC2612BF",
"versionEndExcluding": "12.5.8",
"versionStartIncluding": "12.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `[\u0027allowed_classes\u0027 =\u003e false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control."
},
{
"lang": "es",
"value": "PHPUnit es un framework de pruebas para PHP. Se ha descubierto una vulnerabilidad en versiones anteriores a 12.5.8, 11.5.50, 10.5.62, 9.6.33 y 8.5.52 que involucra la deserializaci\u00f3n insegura de datos de cobertura de c\u00f3digo en la ejecuci\u00f3n de pruebas PHPT. La vulnerabilidad existe en el m\u00e9todo `cleanupForCoverage()`, que deserializa archivos de cobertura de c\u00f3digo sin validaci\u00f3n, lo que podr\u00eda permitir la ejecuci\u00f3n remota de c\u00f3digo si archivos `.coverage` maliciosos est\u00e1n presentes antes de la ejecuci\u00f3n de la prueba PHPT. La vulnerabilidad ocurre cuando un archivo `.coverage`, que no deber\u00eda existir antes de la ejecuci\u00f3n de la prueba, es deserializado sin la restricci\u00f3n del par\u00e1metro `allowed_classes`. Un atacante con acceso de escritura de archivos local puede colocar un objeto serializado malicioso con un m\u00e9todo `__wakeup()` en el sistema de archivos, lo que lleva a la ejecuci\u00f3n de c\u00f3digo arbitrario durante las ejecuciones de pruebas con la instrumentaci\u00f3n de cobertura de c\u00f3digo habilitada. Esta vulnerabilidad requiere acceso de escritura de archivos local a la ubicaci\u00f3n donde PHPUnit almacena o espera archivos de cobertura de c\u00f3digo para las pruebas PHPT. Esto puede ocurrir a trav\u00e9s de ataques a la cadena de CI/CD, el entorno de desarrollo local y/o dependencias comprometidas. En lugar de simplemente sanear silenciosamente la entrada a trav\u00e9s de `[\u0027allowed_classes\u0027 =\u0026gt; false]`, el mantenedor ha optado por hacer expl\u00edcito el estado an\u00f3malo tratando los archivos `.coverage` preexistentes para las pruebas PHPT como una condici\u00f3n de error. A partir de las versiones 12.5.8, 11.5.50, 10.5.62, 9.6.33, cuando se detecta un archivo `.coverage` para una prueba PHPT antes de la ejecuci\u00f3n, PHPUnit emitir\u00e1 un mensaje de error claro que identifique el estado an\u00f3malo. Las organizaciones pueden reducir el riesgo efectivo de esta vulnerabilidad a trav\u00e9s de una configuraci\u00f3n adecuada de CI/CD, incluyendo ejecutores ef\u00edmeros, aplicaci\u00f3n de revisi\u00f3n de c\u00f3digo, protecci\u00f3n de ramas, aislamiento de artefactos y control de acceso."
}
],
"id": "CVE-2026-24765",
"lastModified": "2026-03-03T15:25:01.720",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-01-27T22:15:56.790",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52"
},
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes"
],
"url": "https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33"
},
{
"source": "security-advisories@github.com",
"tags": [
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00009.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2025-68670
Vulnerability from fkie_nvd - Published: 2026-01-27 16:16 - Updated: 2026-02-06 19:59
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| neutrinolabs | xrdp | * | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:neutrinolabs:xrdp:*:*:*:*:*:*:*:*",
"matchCriteriaId": "EF7BFA59-F9D6-4B4F-8CB7-137054E9C030",
"versionEndExcluding": "0.10.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems."
},
{
"lang": "es",
"value": "xrdp es un servidor RDP de c\u00f3digo abierto. xrdp antes de la v0.10.5 contiene una vulnerabilidad de desbordamiento de b\u00fafer basado en pila no autenticado. El problema se deriva de una comprobaci\u00f3n de l\u00edmites incorrecta al procesar la informaci\u00f3n de dominio del usuario durante la secuencia de conexi\u00f3n. Si se explota, la vulnerabilidad podr\u00eda permitir a atacantes remotos ejecutar c\u00f3digo arbitrario en el sistema objetivo. La vulnerabilidad permite a un atacante sobrescribir el b\u00fafer de pila y la direcci\u00f3n de retorno, lo que te\u00f3ricamente podr\u00eda usarse para redirigir el flujo de ejecuci\u00f3n. El impacto de esta vulnerabilidad se reduce si se ha utilizado una bandera de compilador para construir el ejecutable de xrdp con protecci\u00f3n de stack canary. Si este es el caso, se necesitar\u00eda usar una segunda vulnerabilidad para filtrar el valor del stack canary. Actualice a la versi\u00f3n 0.10.5 para recibir un parche. Adem\u00e1s, no conf\u00ede en la protecci\u00f3n de stack canary en sistemas de producci\u00f3n."
}
],
"id": "CVE-2025-68670",
"lastModified": "2026-02-06T19:59:50.957",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2026-01-27T16:16:16.037",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/neutrinolabs/xrdp/commit/488c8c7d4d189514a366cd8301b6e816c5218ffa"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.5"
},
{
"source": "security-advisories@github.com",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00003.html"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-121"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-787"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}