What is the CVSS score of CVE-2025-64098?

CVE-2025-64098 has a CVSS 3.1 base score of 5.9 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Which versions of Debian Linux are affected by CVE-2025-64098?

Organizations using Fast DDS should be aware of moderate risk from CVE-2025-64098, a out-of-bounds read vulnerability rated CVSS 5.9.. A patch is available.

How to fix or mitigate CVE-2025-64098?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Debian Linux CVE-2025-64098

MEDIUM

Out-of-bounds Read (CWE-125)

2026-02-03 security-advisories@github.com

Integer Overflow Debian Linux Fast Dds

5.9

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch released

Feb 18, 2026 - 16:15 nvd

Patch available

CVE Published

Feb 03, 2026 - 20:15 nvd

MEDIUM 5.9

DescriptionNVD

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN in the DATA Submessage are tampered with - specifically by ta mpering with the the vecsize value read by readOctetVector - a 32-bit integer overflow can occur, causing std::vector ::resize to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3 .3.1, and 2.6.11 patch the issue.

AnalysisAI

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). [CVSS 5.9 MEDIUM]

Technical ContextAI

Classified as CWE-125 (Out-of-bounds Read). Affects Fast Dds. Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSIONS_TOKEN in the DATA Submessage are tampered with — specifically by ta mpering with t

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

CVE-2025-64098 vulnerability details – vuln.today

Back

Debian Linux CVE-2025-64098

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code