Heap-based Buffer Overflow in RTI Connext Professional Core Libraries

Successful exploitation can trigger heap memory corruption in RTI Connext Professional Core Libraries. Based on the provided CVSS 4.0 characteristics, exploitation is remote, requires no privileges and no user interaction, and can result in high confidentiality, integrity, and availability impact. In practical terms, this may enable denial of service through process crash or instability, and may also create conditions for further memory-corruption exploitation, potentially including unauthorized code execution or compromise of affected DDS-based applications, although the provided content does not explicitly confirm code execution.

If immediate patching is not possible, reduce exposure of RTI Connext Professional services to untrusted networks and untrusted DDS participants, and restrict network paths that can deliver attacker-controlled traffic to vulnerable applications. Segment affected systems, enforce allowlisting of trusted peers where operationally feasible, and monitor for crashes or anomalous behavior in Connext-based processes. These are compensating controls only; the primary mitigation is vendor patching.

Upgrade RTI Connext Professional to a vendor-fixed release. The provided remediation guidance indicates upgrading to 7.7.0 or later for affected 7.4.x deployments and to 7.3.1.3 or later for affected 7.0.x deployments. For affected legacy branches 6.1.x, 6.0.x, 5.3.x, and 5.0.x, apply the latest vendor-provided patched maintenance release in the respective branch or upgrade to a supported fixed release.