How to fix CVE-2025-62602?

Within 24 hours: Inventory all systems running Fast DDS and assess exposure in production environments. Within 7 days: Apply the available vendor patch to non-production systems and validate functionality. Within 30 days: Complete patching of all production Fast DDS instances and verify through security testing.

Is Integer Overflow affected by CVE-2025-62602?

CVE-2025-62602 is a high-severity vulnerability in Fast DDS that could allow attackers to compromise systems using this middleware for real-time data distribution.

CVE-2025-62602

HIGH

2026-02-03 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch Released

Feb 18, 2026 - 16:12 nvd

Patch available

CVE Published

Feb 03, 2026 - 20:15 nvd

HIGH 7.5

Description

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with - specially `readOctetVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter - the attacker-contro lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.

Analysis

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 7.5 HIGH]

Technical Context

Classified as CWE-122 (Heap-based Buffer Overflow). Affects Fast Dds. Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group

). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an

SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields

of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially `readOctetVector`

reads an unch

Affected Products

Vendor: Eprosima. Product: Fast Dds.

Remediation

A vendor patch is available — apply it immediately. Enable ASLR, DEP/NX, and stack canaries where possible. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2025-62602 vulnerability details – vuln.today

Back

CVE-2025-62602

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-62602

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code