CVE-2025-62603 (GCVE-0-2025-62603)

Vulnerability from cvelistv5 – Published: 2026-02-03 19:23 – Updated: 2026-02-03 20:44
VLAI?
Title
FastDDS has Out-of-memory while parsing GenericMessage when DDS Security is enabled
Summary
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue.
Severity ?
1.7 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U
CWE
Assigner
References
Impacted products
Vendor Product Version
eProsima Fast-DDS Affected: 3.4.0 , < 3.4.1 (custom)
Affected: 3.0.0 , < 3.3.1 (custom)
Affected: 0 , < 2.6.11 (custom)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62603",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-03T20:44:04.457672Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-03T20:44:12.618Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Fast-DDS",
          "repo": "https://github.com/eProsima/Fast-DDS",
          "vendor": "eProsima",
          "versions": [
            {
              "lessThan": "3.4.1",
              "status": "affected",
              "version": "3.4.0",
              "versionType": "custom"
            },
            {
              "lessThan": "3.3.1",
              "status": "affected",
              "version": "3.0.0",
              "versionType": "custom"
            },
            {
              "lessThan": "2.6.11",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\noup). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also\n ongoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and tok\nen delivery for newly appearing endpoints.\u0026nbsp;On receive, the CDR parser is invoked first and deserializes the `message_\ndata` (i.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \u2192 readDataHolderSeq` path.\u0026nbsp;The `DataHolderSe\nq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-\nDH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector).\u0026nbsp\n;The parser operates at a stateless level and does not know higher-layer state (for example, whether the handshake has alr\neady completed), so it fully unfolds the structure before distinguishing legitimate from malformed traffic.\u0026nbsp;Because R\nTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check \nidentity and sequence numbers before discarding or processing a message; the current implementation, however, does not \"p\neek\" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1,\n and 2.6.11, this parsing behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4\n.1, 3.3.1, and 2.6.11 patch the issue."
            }
          ],
          "value": "Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on\ngoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token \ndelivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i\n.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \u2192 readDataHolderSeq` path. The `DataHolderSeq` is parsed \nsequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),\n string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat\nes at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s\no it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,\n delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n\numbers before discarding or processing a message; the current implementation, however, does not \"peek\" only at a minimal\n header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi\nng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p\natch the issue."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 1.7,
            "baseSeverity": "LOW",
            "exploitMaturity": "UNREPORTED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-125",
              "description": "CWE-125 Out-of-bounds Read",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-03T19:23:38.191Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "url": "https://security-tracker.debian.org/tracker/CVE-2025-62603"
        },
        {
          "url": "https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f"
        },
        {
          "url": "https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a"
        },
        {
          "url": "https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "FastDDS has Out-of-memory while parsing GenericMessage when DDS Security is enabled",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-62603",
    "datePublished": "2026-02-03T19:23:38.191Z",
    "dateReserved": "2025-10-16T19:24:37.267Z",
    "dateUpdated": "2026-02-03T20:44:12.618Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-62603\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-03T20:15:56.787\",\"lastModified\":\"2026-02-18T16:11:42.930\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\\n). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on\\ngoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token \\ndelivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i\\n.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \u2192 readDataHolderSeq` path. The `DataHolderSeq` is parsed \\nsequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),\\n string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat\\nes at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s\\no it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,\\n delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n\\numbers before discarding or processing a message; the current implementation, however, does not \\\"peek\\\" only at a minimal\\n header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi\\nng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p\\natch the issue.\"},{\"lang\":\"es\",\"value\":\"Fast DDS es una implementaci\u00f3n en C++ del est\u00e1ndar DDS (Data Distribution Service) de la OMG (Object Management Group). ParticipantGenericMessage es el contenedor de mensajes de control de DDS Security que transporta no solo el handshake sino tambi\u00e9n el tr\u00e1fico de control de seguridad continuo despu\u00e9s del handshake, como el intercambio de cripto-tokens, el rekeying, la re-autenticaci\u00f3n y la entrega de tokens para los endpoints que aparecen recientemente. Al recibir, el analizador CDR se invoca primero y deserializa el \u0027message_data\u0027 (es decir, el \u0027DataHolderSeq\u0027) a trav\u00e9s de la ruta \u0027readParticipantGenericMessage ? readDataHolderSeq\u0027. El \u0027DataHolderSeq\u0027 se analiza secuencialmente: un recuento de secuencia (\u0027uint32\u0027), y para cada DataHolder la cadena \u0027class_id\u0027 (por ejemplo, \u0027DDS:Auth:PKI-DH:1.0+Req\u0027), propiedades de cadena (una secuencia de pares clave/valor), y propiedades binarias (un nombre m\u00e1s un vector de octetos). El analizador opera a un nivel sin estado y no conoce el estado de capas superiores (por ejemplo, si el handshake ya se ha completado), por lo que despliega completamente la estructura antes de distinguir el tr\u00e1fico leg\u00edtimo del malformado. Debido a que RTPS permite duplicados, retrasos y retransmisiones, un receptor debe realizar al menos un an\u00e1lisis estructural m\u00ednimo para verificar la identidad y los n\u00fameros de secuencia antes de descartar o procesar un mensaje; la implementaci\u00f3n actual, sin embargo, no \u0027echa un vistazo\u0027 solo a una cabecera m\u00ednima y en su lugar analiza todo el \u0027DataHolderSeq\u0027. Como resultado, antes de las versiones 3.4.1, 3.3.1 y 2.6.11, este comportamiento de an\u00e1lisis puede desencadenar una condici\u00f3n de falta de memoria y terminar el proceso de forma remota. Las versiones 3.4.1, 3.3.1 y 2.6.11 parchean el problema.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":1.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.6.11\",\"matchCriteriaId\":\"8BAE40E0-6DFF-4878-9438-9C2488C9831C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.3.1\",\"matchCriteriaId\":\"94A01F76-524F-4A5B-A782-CC789F229136\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D4452677-95AB-46F9-9B76-9F0B15E62261\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"46D69DCC-AE4D-4EA5-861C-D60951444C6C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54\"}]}]}],\"references\":[{\"url\":\"https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://security-tracker.debian.org/tracker/CVE-2025-62603\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-62603\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-03T20:44:04.457672Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-03T20:44:08.790Z\"}}], \"cna\": {\"title\": \"FastDDS has Out-of-memory while parsing GenericMessage when DDS Security is enabled\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 1.7, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U\", \"exploitMaturity\": \"UNREPORTED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/eProsima/Fast-DDS\", \"vendor\": \"eProsima\", \"product\": \"Fast-DDS\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.4.0\", \"lessThan\": \"3.4.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.3.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.6.11\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://security-tracker.debian.org/tracker/CVE-2025-62603\"}, {\"url\": \"https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f\"}, {\"url\": \"https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a\"}, {\"url\": \"https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\\n). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on\\ngoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token \\ndelivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i\\n.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \\u2192 readDataHolderSeq` path. The `DataHolderSeq` is parsed \\nsequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),\\n string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat\\nes at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s\\no it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,\\n delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n\\numbers before discarding or processing a message; the current implementation, however, does not \\\"peek\\\" only at a minimal\\n header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi\\nng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p\\natch the issue.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Gr\\noup). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also\\n ongoing security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and tok\\nen delivery for newly appearing endpoints.\u0026nbsp;On receive, the CDR parser is invoked first and deserializes the `message_\\ndata` (i.e., the `DataHolderSeq`) via the `readParticipantGenericMessage \\u2192 readDataHolderSeq` path.\u0026nbsp;The `DataHolderSe\\nq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-\\nDH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector).\u0026nbsp\\n;The parser operates at a stateless level and does not know higher-layer state (for example, whether the handshake has alr\\neady completed), so it fully unfolds the structure before distinguishing legitimate from malformed traffic.\u0026nbsp;Because R\\nTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check \\nidentity and sequence numbers before discarding or processing a message; the current implementation, however, does not \\\"p\\neek\\\" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1,\\n and 2.6.11, this parsing behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4\\n.1, 3.3.1, and 2.6.11 patch the issue.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-125\", \"description\": \"CWE-125 Out-of-bounds Read\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-03T19:23:38.191Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-62603\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-03T20:44:12.618Z\", \"dateReserved\": \"2025-10-16T19:24:37.267Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-03T19:23:38.191Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.