CVE-2025-64098 is an out-of-bounds read vulnerability classified under CWE-125 and CWE-190 affecting eProsima Fast-DDS, a C++ implementation of the OMG DDS standard used for real-time data distribution. The flaw exists in versions prior to 3.4.1, 3.3.1, and 2.6.11 when the security mode is enabled. Specifically, if an attacker modifies the DATA Submessage within an SPDP packet sent by a publisher, they can tamper with the `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` fields. These fields include a `vecsize` value read by the `readOctetVector` function. By manipulating this 32-bit integer value, an integer overflow occurs, causing the `std::vector::resize` method to allocate an attacker-controlled size. This leads to an out-of-memory (OOM) condition that causes the Fast-DDS process to terminate remotely, resulting in a denial-of-service (DoS) condition. The vulnerability does not require authentication or user interaction and can be triggered remotely over the network. There are no known exploits in the wild, and the CVSS 4.0 base score is 1.7, reflecting low severity due to limited impact and ease of exploitation. The issue is patched in Fast-DDS versions 3.4.1, 3.3.1, and 2.6.11.

The primary impact of CVE-2025-64098 is denial of service through remote process termination of Fast-DDS instances. For European organizations, this could disrupt real-time data distribution in critical systems such as industrial automation, automotive communication networks, aerospace, defense, and IoT deployments that rely on Fast-DDS for reliable and timely data exchange. Although the vulnerability does not allow data disclosure or code execution, availability loss in these environments can lead to operational downtime, safety risks, and potential cascading failures in interconnected systems. Organizations in sectors with stringent uptime requirements or safety-critical operations may face significant operational and reputational impacts if this vulnerability is exploited. However, the lack of known exploits and the requirement for specific packet tampering reduce the immediate threat level.

European organizations should immediately upgrade eProsima Fast-DDS to versions 3.4.1, 3.3.1, or 2.6.11 where the vulnerability is patched. Network-level filtering should be implemented to restrict and monitor SPDP packet traffic, especially from untrusted or external sources, to reduce exposure. Deploy intrusion detection systems (IDS) with signatures or heuristics to detect anomalous SPDP packets with malformed DATA Submessages. Conduct thorough code reviews and fuzz testing on custom DDS implementations or extensions to identify similar integer overflow or out-of-bounds read issues. Additionally, implement robust resource limits and process isolation to mitigate the impact of potential OOM conditions. Regularly audit and update security configurations of Fast-DDS deployments, ensuring security mode is enabled with validated token handling. Finally, maintain incident response readiness to quickly recover from potential DoS events.