DEBIAN-CVE-2025-62603

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2025-62603

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-62603.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-62603

Upstream

CVE-2025-62603

Published

2026-02-03T20:15:56.787Z

Modified

2026-02-19T17:20:32.810534Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the message_data (i .e., the DataHolderSeq) via the readParticipantGenericMessage → readDataHolderSeq path. The DataHolderSeq is parsed sequentially: a sequence count (uint32), and for each DataHolder the class_id string (e.g. DDS:Auth:PKI-DH:1.0+Req), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal header and instead parses the entire DataHolderSeq. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue.

References

https://security-tracker.debian.org/tracker/CVE-2025-62603

Affected packages

Debian:11 / fastdds

Package

Name: fastdds
Purl: pkg:deb/debian/fastdds?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.1.0+ds-9

2.1.0+ds-9+deb11u1

2.3.2+ds-1

2.3.2+ds-2

2.3.3+ds-1

2.3.4+ds-1

2.3.4+ds-2

2.3.4+ds-3

2.3.4+ds-4

2.4.0+ds-1

2.4.0+ds-2

2.4.0+ds-3

2.4.1+ds-1

2.5.0+ds-1

2.5.0+ds-2

2.5.0+ds-3

2.5.1+ds-1

2.6.0+ds-1

2.6.0+ds-2

2.6.0+ds-3

2.6.1+ds-1

2.6.1+ds-2

2.7.0+ds-1

2.7.0+ds-2

2.7.1+ds-1~bpo11+1

2.7.1+ds-1

2.8.0+ds-1

2.8.0+ds-2

2.8.1+ds-1

2.9.0+ds-1

2.9.0+ds-2

2.9.1+ds-1

2.10.1+ds-1

2.10.1+ds-2

2.10.1+ds-3

2.11.2+ds-1

2.11.2+ds-2

2.11.2+ds-3

2.11.2+ds-4

2.11.2+ds-5

2.11.2+ds-6

2.11.2+ds-6.1~exp1

2.11.2+ds-6.1

2.14.0+ds-1

2.14.0+ds-2

2.14.0+ds-3

2.14.0+ds-4

2.14.1+ds-1

2.14.2+ds-1

2.14.3+ds-1

3.*

3.0.0+ds-1

3.0.0+ds-2

3.0.0+ds-3

3.0.1+ds-1

3.1.0+ds-1

3.1.0+ds-2

3.1.2+ds-1

3.3.0+ds-1

3.3.0+ds-2

3.3.0+ds-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-62603.json"

Debian:12 / fastdds

Package

Name: fastdds
Purl: pkg:deb/debian/fastdds?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.9.1+ds-1

2.9.1+ds-1+deb12u1

2.9.1+ds-1+deb12u2

2.10.1+ds-1

2.10.1+ds-2

2.10.1+ds-3

2.11.2+ds-1

2.11.2+ds-2

2.11.2+ds-3

2.11.2+ds-4

2.11.2+ds-5

2.11.2+ds-6

2.11.2+ds-6.1~exp1

2.11.2+ds-6.1

2.14.0+ds-1

2.14.0+ds-2

2.14.0+ds-3

2.14.0+ds-4

2.14.1+ds-1

2.14.2+ds-1

2.14.3+ds-1

3.*

3.0.0+ds-1

3.0.0+ds-2

3.0.0+ds-3

3.0.1+ds-1

3.1.0+ds-1

3.1.0+ds-2

3.1.2+ds-1

3.3.0+ds-1

3.3.0+ds-2

3.3.0+ds-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-62603.json"

Debian:13 / fastdds

Package

Name: fastdds
Purl: pkg:deb/debian/fastdds?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.2+ds-1

3.3.0+ds-1

3.3.0+ds-2

3.3.0+ds-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-62603.json"

Debian:14 / fastdds

Package

Name: fastdds
Purl: pkg:deb/debian/fastdds?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.2+ds-1

3.3.0+ds-1

3.3.0+ds-2

3.3.0+ds-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-62603.json"