CVE-2024-30258: 
Linux Debian vulnerability analysis and mitigation

FastDDS, a C++ implementation of the DDS (Data Distribution Service) standard by OMG (Object Management Group), was found to be vulnerable to a crash condition prior to versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8. The vulnerability (CVE-2024-30258) was discovered when a publisher serves a malformed RTPS packet, causing the subscriber to crash during pthread creation (GitHub Advisory).

The vulnerability occurs when processing malformed RTPS packets in the subscriber component. When a malicious publisher sends a specially crafted packet, it triggers a crash during pthread creation due to an out-of-memory condition in the allocator. The issue has been assigned a CVSS v3.1 base score of 7.5 (High) by NIST with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely without requiring privileges or user interaction (NVD).

The vulnerability can lead to a denial of service (DoS) condition by remotely crashing any Fast-DDS process. This is particularly concerning as it affects the core communication functionality of the DDS implementation, potentially disrupting critical systems that rely on Fast-DDS for data distribution (GitHub Advisory).

The vulnerability has been patched in versions 2.14.1, 2.13.5, 2.10.4, and 2.6.8. Users are strongly advised to upgrade to these patched versions to protect against potential DoS attacks. The fix has been implemented through a commit that addresses the packet handling vulnerability (GitHub Patch).