| Name | CVE-2025-64438 |
| Description | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast -DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList .base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t he issue. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1121096 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| fastdds (PTS) | bullseye (security), bullseye | 2.1.0+ds-9+deb11u1 | vulnerable |
| bookworm, bookworm (security) | 2.9.1+ds-1+deb12u2 | vulnerable | |
| trixie | 3.1.2+ds-1 | vulnerable | |
| forky, sid | 3.3.0+ds-3 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| fastdds | source | (unstable) | (unfixed) | 1121096 |
[trixie] - fastdds <no-dsa> (Minor issue)
[bookworm] - fastdds <no-dsa> (Minor issue)
[bullseye] - fastdds <postponed> (Minor issue)
Fixed by: https://github.com/eProsima/Fast-DDS/commit/0b0cb308eaeeb2175694aa0a0a723106824ce9a7 (v3.4.1)