{"id":"CVE-2024-30258","summary":"FastDDS crash when publisher send malformed packet","details":"FastDDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group). Prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8, when a publisher serves a malformed `RTPS` packet, the subscriber crashes when creating `pthread`. This can remotely crash any Fast-DDS process, potentially leading to a DOS attack. Versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8 contain a patch for the issue.\n","aliases":["GHSA-53xw-465j-rxfh"],"modified":"2026-04-12T09:49:32.581428Z","published":"2024-05-13T14:41:52.318Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-20"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/30xxx/CVE-2024-30258.json"},"references":[{"type":"WEB","url":"https://drive.google.com/file/d/19W5UC52hPnAqVq_boZWO45d1TJ4WoCSh/view?usp=sharing"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/30xxx/CVE-2024-30258.json"},{"type":"ADVISORY","url":"https://github.com/eProsima/Fast-DDS/security/advisories/GHSA-53xw-465j-rxfh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-30258"},{"type":"FIX","url":"https://github.com/eProsima/Fast-DDS/commit/65236f93e9c4ea3ff9a49fba4dfd9e43eb94037b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eprosima/fast-dds","events":[{"introduced":"0"},{"last_affected":"4c2016660e7d6a6e94970e1a2b4dcd8e47f21581"},{"fixed":"77cfbe8a3a831ac525dbaf4c741743f65f3316c1"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"= 2.14.0"},{"fixed":"2.6.8"}]}},{"type":"GIT","repo":"https://github.com/eprosima/fast-dds","events":[{"introduced":"f633573e69e0552f5f0a48d5ed960a0782e2fea8"},{"fixed":"f376f7eb3758ec523fed0519e84e768233668b25"}],"database_specific":{"versions":[{"introduced":"2.13.0"},{"fixed":"2.13.5"}]}},{"type":"GIT","repo":"https://github.com/eprosima/fast-dds","events":[{"introduced":"463d59ca81c7fd732edf45b982a58c0b54fc1da4"},{"fixed":"3118cba80c7b0db2c9bd0ede8671e3d31785cbda"}],"database_specific":{"versions":[{"introduced":"2.10.0"},{"fixed":"2.10.4"}]}}],"versions":["2.0.0-beta","2.0.0-rc","Discovery-Time_Data_Typing","v1.0.0","v1.3.0","v1.4.0","v1.5.0","v1.6.0","v1.7.0","v1.7.1","v1.7.2","v1.8.0","v1.8.0-2","v1.9.0","v1.9.0-beta","v1.9.0-beta-2","v2.1.0","v2.10.0-rc1","v2.10.1-rc1","v2.14.0","v2.2.0","v2.3.0-1","v2.3.0-api"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["262956306831166481237303932868870361372","306604317174497932475465898607727697833","196513365605387483283372719964676140728","294552922959227129118208678759959282933","233002817893507405036982977419080917531","137118083659526854717517586406070424281"]},"id":"CVE-2024-30258-725a5a7b","target":{"file":"src/cpp/rtps/participant/RTPSParticipantImpl.cpp"},"deprecated":false,"source":"https://github.com/eprosima/fast-dds/commit/3118cba80c7b0db2c9bd0ede8671e3d31785cbda","signature_type":"Line","signature_version":"v1"},{"digest":{"length":6264,"function_hash":"324427933685653720667523570866654147901"},"id":"CVE-2024-30258-ecb73c2a","target":{"function":"RTPSParticipantImpl::update_attributes","file":"src/cpp/rtps/participant/RTPSParticipantImpl.cpp"},"deprecated":false,"source":"https://github.com/eprosima/fast-dds/commit/3118cba80c7b0db2c9bd0ede8671e3d31785cbda","signature_type":"Function","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-30258.json","vanir_signatures_modified":"2026-04-12T09:49:32Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H"}]}