{"id":"CVE-2025-64438","summary":"Fast-DDS: Unbounded GAP range triggers OOM DoS under RELIABLE QoS","details":"Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group\n). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast\n-DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList\n.base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s\nequence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. \nNo authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS \nlimit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t\nhe issue.","modified":"2026-04-10T05:33:47.083448Z","published":"2026-02-03T19:32:22.265Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64438.json","cwe_ids":["CWE-835"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://security-tracker.debian.org/tracker/CVE-2025-64438"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/64xxx/CVE-2025-64438.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-64438"},{"type":"FIX","url":"https://github.com/eProsima/Fast-DDS/commit/0b0cb308eaeeb2175694aa0a0a723106824ce9a7"},{"type":"FIX","url":"https://github.com/eProsima/Fast-DDS/commit/71da01b4aea4d937558984f2cf0089f5ba3c871f"},{"type":"FIX","url":"https://github.com/eProsima/Fast-DDS/commit/8ca016134dac20b6e30e42b7b73466ef7cdbc213"},{"type":"PACKAGE","url":"https://github.com/eProsima/Fast-DDS"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eprosima/fast-dds","events":[{"introduced":"bf1d4c34c3b2b6267cd854346b1477854967264e"},{"fixed":"f4eaa03986ab228f56042160761836995974e671"}],"database_specific":{"versions":[{"introduced":"3.4.0"},{"fixed":"3.4.1"}]}},{"type":"GIT","repo":"https://github.com/eprosima/fast-dds","events":[{"introduced":"c53cd0a425e6f5483fbd971eb584b4360c306891"},{"fixed":"4ba5a3b754ee4fd40f8ae0feb3aff7e6708aae4a"}],"database_specific":{"versions":[{"introduced":"3.0.0"},{"fixed":"3.3.1"}]}},{"type":"GIT","repo":"https://github.com/eprosima/fast-dds","events":[{"introduced":"0"},{"fixed":"87dd60c8f3e8694481ad0279bd4cc8c645050da3"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.6.11"}]}}],"versions":["2.0.0-beta","2.0.0-rc","Discovery-Time_Data_Typing","v1.0.0","v1.3.0","v1.4.0","v1.5.0","v1.6.0","v1.7.0","v1.7.1","v1.7.2","v1.8.0","v1.8.0-2","v1.9.0","v1.9.0-beta","v1.9.0-beta-2","v2.1.0","v2.2.0","v2.3.0-1","v2.3.0-api"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-64438.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"}]}