Debian: >> Debian Linux >> 13.0 Security Vulnerabilities
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t
he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specifically by ta
mpering with the the `vecsize` value read by `readOctetVector` — a 32-bit integer overflow can occur, causing `std::vector
::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3
.3.1, and 2.6.11 patch the issue.
CVSS Score
5.9
EPSS Score
0.0
Published
2026-02-03
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields
of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with — specially `readOctetVector`
reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter — the attacker-contro
lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca
tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination.
Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-02-03
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on
going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token
delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i
.e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed
sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`),
string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat
es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s
o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates,
delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n
umbers before discarding or processing a message; the current implementation, however, does not "peek" only at a minimal
header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi
ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p
atch the issue.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-02-03
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un
authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft
ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write
s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption (
RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
CVSS Score
9.8
EPSS Score
0.0
Published
2026-02-03
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t
he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length
field in readBinaryPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation.
Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-02-03
Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group
). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an
SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t
he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage — specifically by tampering with the length
field in readPropertySeq — are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versi
ons 3.4.1, 3.3.1, and 2.6.11 patch the issue.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-02-03
CVE-2025-32463
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
Known exploited
CVSS Score
9.3
EPSS Score
0.265
Published
2025-06-30
A flaw was found in the OpenSSH package. For each ping packet the SSH server receives, a pong packet is allocated in a memory buffer and stored in a queue of packages. It is only freed when the server/client key exchange has finished. A malicious client may keep sending such packages, leading to an uncontrolled increase in memory consumption on the server side. Consequently, the server may become unavailable, resulting in a denial of service attack.
CVSS Score
5.9
EPSS Score
0.425
Published
2025-02-28
In the cron package through 3.0pl1-128 on Debian, and through 3.0pl1-128ubuntu2 on Ubuntu, the postinst maintainer script allows for group-crontab-to-root privilege escalation via symlink attacks against unsafe usage of the chown and chmod programs.
CVSS Score
6.7
EPSS Score
0.001
Published
2017-06-09
A certain backport in the TCP Fast Open implementation for the Linux kernel before 3.18 does not properly maintain a count value, which allow local users to cause a denial of service (system crash) via the Fast Open feature, as demonstrated by visiting the chrome://flags/#enable-tcp-fast-open URL when using certain 3.10.x through 3.16.x kernel builds, including longterm-maintenance releases and ckt (aka Canonical Kernel Team) builds.
CVSS Score
4.9
EPSS Score
0.001
Published
2015-05-27
Page 1