CVE-2025-62603 – Fast DDS versions prior to 3.4.1, 3.3.1, and 2.... (How to Fix)

Q: What is the severity of CVE-2025-62603?

CVE-2025-62603 has a CVSS score of 7.5 (HIGH). Fast DDS versions prior to 3.4.1, 3.3.1, and 2.6.11 contain a vulnerability where malicious ParticipantGenericMessage packets can trigger excessive memory allocation during CDR parsing, leading to out-of-memory conditions and process termination. This affects systems using Fast DDS for DDS communication, particularly in real-time and IoT applications. The vulnerability is remotely exploitable without authentication.

📋 TL;DR

Fast DDS versions prior to 3.4.1, 3.3.1, and 2.6.11 contain a vulnerability where malicious ParticipantGenericMessage packets can trigger excessive memory allocation during CDR parsing, leading to out-of-memory conditions and process termination. This affects systems using Fast DDS for DDS communication, particularly in real-time and IoT applications. The vulnerability is remotely exploitable without authentication.

💻 Affected Systems

Products:

Fast DDS (formerly Fast RTPS)

Versions: All versions prior to 3.4.1, 3.3.1, and 2.6.11

Operating Systems: All platforms running Fast DDS

Default Config Vulnerable: ⚠️ Yes

Notes: Any system using Fast DDS with DDS Security enabled and processing ParticipantGenericMessage traffic is vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote denial of service causing process termination and service disruption in critical systems using Fast DDS for communication.

🟠

Likely Case

Remote denial of service through process termination, disrupting DDS-based communication in affected systems.

🟢

If Mitigated

Minimal impact if patched versions are deployed or if systems are isolated from untrusted networks.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation possible, leading to service disruption.

🏢 Internal Only: MEDIUM - Internal attackers could disrupt services, but requires network access to Fast DDS endpoints.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Sending specially crafted ParticipantGenericMessage packets triggers the vulnerability.

Exploitation requires sending malicious DDS packets to vulnerable endpoints; no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.1, 3.3.1, or 2.6.11

Vendor Advisory: https://github.com/eProsima/Fast-DDS/security/advisories

Restart Required: Yes

Instructions:

1. Identify Fast DDS version. 2. Upgrade to 3.4.1, 3.3.1, or 2.6.11 depending on your branch. 3. Recompile applications using Fast DDS. 4. Restart all Fast DDS processes.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Fast DDS endpoints to trusted networks only.

Use firewall rules to block untrusted access to DDS ports (typically 7400-7410 UDP/TCP)

Resource Limits

all

Set memory limits on Fast DDS processes to contain impact.

ulimit -v [LIMIT] (Linux)
Set-ProcessMitigation (Windows)

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to trusted sources only.
Monitor process memory usage and restart services if abnormal consumption is detected.

🔍 How to Verify

Check if Vulnerable:

Check Fast DDS version; if below 3.4.1, 3.3.1, or 2.6.11, system is vulnerable.

Check Version:

Check application documentation or build configuration for Fast DDS version; or use 'strings' on binaries containing Fast DDS libraries.

Verify Fix Applied:

Confirm Fast DDS version is 3.4.1, 3.3.1, or 2.6.11 or higher.

📡 Detection & Monitoring

Log Indicators:

Process termination logs
Out-of-memory errors in system/application logs
Abnormal memory consumption patterns

Network Indicators:

Unusual volume of ParticipantGenericMessage traffic
Malformed DDS packets to port 7400-7410

SIEM Query:

Process termination events from Fast DDS applications OR memory allocation failures in application logs

📊 Metadata

CVE ID: CVE-2025-62603

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

EPSS Score: 0.03% exploit probability (9.1th percentile)

Published: February 3, 2026

Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62603, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Fast Dds by Eprosima

Fast Dds by Eprosima

Fast Dds by Eprosima

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Resource Limits

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities