Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue.
Conclusion & alert: CVE-2025-62603 is rated Low Risk (20.8/100): CVSS Low severity, with low exploitation likelihood (EPSS 0.50%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.03% | 0.50% | +0.47% |
| 2 | 2026-06-10 | 0.05% | 0.03% | -0.02% |
| 3 | 2026-05-13 | — | 0.05% | — |
Full EPSS history (6 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 1.7 | 4.0 | LOW |
|
— | — | [email protected] |
| 7.5 | 3.1 | HIGH |
|
3.9 | 3.6 | [email protected] |
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2025-62603 not yet assigned priority: Debian including 1 source packages (fastdds), 4 status rows across 4 suites (bookworm, bullseye, sid, trixie): open 4. | https://security-tracker.debian.org/tracker/CVE-2025-62603 |
ubuntu
|
medium | CVE-2025-62603 medium priority: Ubuntu including 1 source packages (fastdds), 5 status rows across 5 suites (jammy, noble, plucky, questing, upstream): needs-triage 4, ignored 1. | https://ubuntu.com/security/CVE-2025-62603 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| eprosima | fast_dds | < 2.6.11 | cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:* |
| eprosima | fast_dds | >= 3.0.0, < 3.3.1 | cpe:2.3:a:eprosima:fast_dds:*:*:*:*:*:*:*:* |
| eprosima | fast_dds | 3.4.0 | cpe:2.3:a:eprosima:fast_dds:3.4.0:*:*:*:*:*:*:* |
| debian | debian_linux | 11.0 | cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:* |
| debian | debian_linux | 12.0 | cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:* |
| debian | debian_linux | 13.0 | cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:* |