CVE-2025-64438: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') in eProsima Fast-DDS
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast -DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList .base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t he issue.
AI Analysis
Technical Summary
The vulnerability CVE-2025-64438 affects eProsima Fast-DDS, a C++ implementation of the OMG DDS standard used for real-time data distribution. In versions prior to 3.4.1, 3.3.1, and 2.6.11, an attacker can remotely trigger an infinite loop within the StatefulReader::processGapMsg() function by sending a crafted RTPS GAP submessage with a large gap range. This causes the function to insert an excessive number of sequence numbers into the WriterProxy::changes_received_ set, a data structure implemented as a std::set, resulting in unbounded memory allocation. The memory consumption can grow to tens of gigabytes (observed up to ~64 GB), leading to out-of-memory conditions and process crashes, effectively causing a denial-of-service (DoS). The attack requires no authentication beyond network access to the DDS domain reader, making it remotely exploitable. The vulnerability stems from a loop with an unreachable exit condition (CWE-835), where the logic does not properly limit the number of iterations when processing the gap list. The issue is patched in Fast-DDS versions 3.4.1, 3.3.1, and 2.6.11. No known exploits have been reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of this vulnerability depends on the deployment of Fast-DDS in critical infrastructure, industrial automation, automotive, aerospace, or other real-time systems that rely on DDS for data communication. Exploitation can cause denial-of-service by exhausting system memory, leading to service interruptions and potential safety risks in operational technology environments. Organizations with network-exposed DDS readers are at risk without requiring authentication, increasing the attack surface. The large memory consumption can also affect system stability and availability, potentially disrupting business-critical processes. While the CVSS score is low, the operational impact in real-time or safety-critical systems can be significant. European sectors such as manufacturing, automotive, and defense that use DDS-based middleware should be particularly vigilant.
Mitigation Recommendations
1. Upgrade eProsima Fast-DDS to versions 3.4.1, 3.3.1, or 2.6.11 or later where the vulnerability is patched. 2. Implement network segmentation and restrict access to DDS domain readers to trusted hosts only, minimizing exposure to untrusted networks. 3. Employ network-level filtering to block malformed or suspicious RTPS GAP submessages, if feasible. 4. Monitor memory usage of Fast-DDS processes and set resource limits to prevent excessive memory consumption. 5. Use intrusion detection systems capable of recognizing anomalous DDS traffic patterns. 6. Conduct regular security assessments of DDS deployments, including penetration testing focused on protocol fuzzing. 7. Where possible, enable authentication and encryption features of DDS to reduce unauthorized access risk. 8. Maintain up-to-date incident response plans for denial-of-service scenarios affecting real-time communication middleware.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Sweden, Finland
CVE-2025-64438: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') in eProsima Fast-DDS
Description
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast -DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList .base - gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t he issue.
AI-Powered Analysis
Technical Analysis
The vulnerability CVE-2025-64438 affects eProsima Fast-DDS, a C++ implementation of the OMG DDS standard used for real-time data distribution. In versions prior to 3.4.1, 3.3.1, and 2.6.11, an attacker can remotely trigger an infinite loop within the StatefulReader::processGapMsg() function by sending a crafted RTPS GAP submessage with a large gap range. This causes the function to insert an excessive number of sequence numbers into the WriterProxy::changes_received_ set, a data structure implemented as a std::set, resulting in unbounded memory allocation. The memory consumption can grow to tens of gigabytes (observed up to ~64 GB), leading to out-of-memory conditions and process crashes, effectively causing a denial-of-service (DoS). The attack requires no authentication beyond network access to the DDS domain reader, making it remotely exploitable. The vulnerability stems from a loop with an unreachable exit condition (CWE-835), where the logic does not properly limit the number of iterations when processing the gap list. The issue is patched in Fast-DDS versions 3.4.1, 3.3.1, and 2.6.11. No known exploits have been reported in the wild as of the publication date.
Potential Impact
For European organizations, the impact of this vulnerability depends on the deployment of Fast-DDS in critical infrastructure, industrial automation, automotive, aerospace, or other real-time systems that rely on DDS for data communication. Exploitation can cause denial-of-service by exhausting system memory, leading to service interruptions and potential safety risks in operational technology environments. Organizations with network-exposed DDS readers are at risk without requiring authentication, increasing the attack surface. The large memory consumption can also affect system stability and availability, potentially disrupting business-critical processes. While the CVSS score is low, the operational impact in real-time or safety-critical systems can be significant. European sectors such as manufacturing, automotive, and defense that use DDS-based middleware should be particularly vigilant.
Mitigation Recommendations
1. Upgrade eProsima Fast-DDS to versions 3.4.1, 3.3.1, or 2.6.11 or later where the vulnerability is patched. 2. Implement network segmentation and restrict access to DDS domain readers to trusted hosts only, minimizing exposure to untrusted networks. 3. Employ network-level filtering to block malformed or suspicious RTPS GAP submessages, if feasible. 4. Monitor memory usage of Fast-DDS processes and set resource limits to prevent excessive memory consumption. 5. Use intrusion detection systems capable of recognizing anomalous DDS traffic patterns. 6. Conduct regular security assessments of DDS deployments, including penetration testing focused on protocol fuzzing. 7. Where possible, enable authentication and encryption features of DDS to reduce unauthorized access risk. 8. Maintain up-to-date incident response plans for denial-of-service scenarios affecting real-time communication middleware.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-11-03T22:12:51.366Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69825048f9fa50a62fdc199e
Added to database: 2/3/2026, 7:45:12 PM
Last enriched: 2/3/2026, 8:00:35 PM
Last updated: 2/4/2026, 3:18:59 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1835: Cross-Site Request Forgery in lcg0124 BootDo
MediumCVE-2026-1813: Unrestricted Upload in bolo-blog bolo-solo
MediumCVE-2026-1632: CWE-306 Missing Authentication for Critical Function in RISS SRL MOMA Seismic Station
CriticalCVE-2026-1812: Path Traversal in bolo-blog bolo-solo
MediumCVE-2026-24514: CWE-770 Allocation of Resources Without Limits or Throttling in Kubernetes ingress-nginx
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.