What is the CVSS score of CVE-2025-62601?

CVE-2025-62601 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Fast Dds are affected by CVE-2025-62601?

CVE-2025-62601 is a high-severity vulnerability affecting Fast DDS, a middleware component used in distributed systems and real-time data applications.. A patch is available.

How to fix or mitigate CVE-2025-62601?

Within 24 hours: Inventory all systems running Fast DDS and assess exposure in production environments. Within 7 days: Apply available vendor patch to non-production systems and conduct testing to validate compatibility. Within 30 days: Deploy patch to all production Fast DDS instances following change management procedures, prioritizing critical systems first.

Fast Dds CVE-2025-62601

HIGH

Heap-based Buffer Overflow (CWE-122)

2026-02-03 security-advisories@github.com

Buffer Overflow Integer Overflow Fast Dds

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Feb 18, 2026 - 16:12 nvd

Patch available

CVE Published

Feb 03, 2026 - 20:15 nvd

HIGH 7.5

DescriptionNVD

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN in the DATA Submessage - specifically by tampering with the str_size value read by readString (called from readBinaryProperty) - are modified, a 32-bit integer overflow can occur, causing std::vector::resize to use an attacker-controlled size and quickly trigger heap buffer overflow and remote process term ination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.

AnalysisAI

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Technical ContextAI

Classified as CWE-122 (Heap-based Buffer Overflow). Affects Fast Dds. Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN in the DATA Submessage — specifically by tampering with the str_size value read by

RemediationAI

A vendor patch is available — apply it immediately. Enable ASLR, DEP/NX, and stack canaries where possible. Restrict network access to the affected service where possible.

CVE-2025-62601 vulnerability details – vuln.today

Back

Fast Dds CVE-2025-62601

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code