Severity by source
AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Base trigger is mounting attacker-supplied media (AV:P), needing no auth or interaction (PR:N/UI:N); parser overflow crosses into downstream callers (S:C) with memory-corruption impact (C/I/A:H).
Primary rating from Vendor (runZero).
CVSS VectorVendor: runZero
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
AnalysisAI
Integer overflow in ELM-Chan FatFS R0.16 and earlier lets a crafted FAT32 volume corrupt file-size metadata during mount_volume(), where fasize *= fs->n_fats wraps and produces attacker-controlled, oversized read lengths in downstream callers. The affected code is a widely embedded FAT filesystem library used across microcontrollers and IoT firmware, and while primarily triggered by mounting malicious media, the vendor notes remote delivery is feasible via OTA/update pipelines. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target to mount an attacker-crafted FAT32 volume through FatFS mount_volume() - specifically a filesystem image with manipulated BPB/FAT-count fields that force the FAT-area size multiplication to overflow. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, 7.6) indicates a physical attack vector with low complexity, no privileges, no user interaction, a scope change, and total confidentiality/integrity/availability impact - consistent with the SSVC assessment of Exploitation: PoC and Technical Impact: Total. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious FAT32 volume whose boot-sector fields force the `fasize *= fs->n_fats` computation to wrap, then gets a target embedded device to mount it - by inserting a prepared SD card/USB stick or, in a higher-exposure case, by supplying the crafted image through an OTA/firmware-update channel. When downstream code uses the corrupted, oversized file-size and read lengths, the attacker induces out-of-bounds reads/writes that can disclose memory or compromise the device. … |
| Remediation | Upgrade the FatFS module to a release later than R0.16 that contains the fixed mount_volume() bounds handling; consult the upstream project at https://elm-chan.org/fsw/ff/ for the corrected source and the runZero advisory (https://www.runzero.com/advisories/fatfs-fat32-int-of-mnt-cve-2026-6682/) for details - no exact fixed release version was provided in the input, so treat the patched version as 'per vendor/upstream advisory' rather than an assumed number and confirm the specific commit before shipping. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct asset inventory to identify all systems and devices using ELM-Chan FatFS R0.16 or earlier, including microcontroller-based infrastructure and IoT hardware. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Stack-based buffer overflow in FatFs R0.16 and earlier allows an attacker who can present crafted exFAT media to corrupt
Buffer overflow in FatFs R0.16 and earlier arises when long filenames (up to 255 characters, enabled via FF_USE_LFN) ret
Integer underflow in FatFs R0.16 and earlier corrupts filesystem integrity via a stale dirty-cache skip during interleav
Unbounded mount-time loop in FatFs prior to R0.16 allows physical attackers to cause a denial of service by presenting a
Divide-by-zero in FatFs R0.16 and earlier's exFAT sync logic crashes the filesystem when crafted volume metadata causes
Uninitialized cluster exposure in FatFs R0.16 and earlier allows recovery of residual disk data when f_lseek() extends a
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40992
GHSA-c25x-vcg6-4ccx