Severity by source
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Physical media insertion required (AV:P); no credentials needed; crash-only impact yields A:H with C:N and I:N.
Primary rating from Vendor (runZero).
CVSS VectorVendor: runZero
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
AnalysisAI
Divide-by-zero in FatFs R0.16 and earlier's exFAT sync logic crashes the filesystem when crafted volume metadata causes the expression n_fatent - 2 to evaluate to zero during write/sync operations, resulting in a hard fault or denial of service on the affected embedded device. The elm-chan FatFs library is widely bundled into microcontroller SDKs and IoT firmware, meaning the vulnerable code exists across a broad range of downstream products compiled with exFAT support. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target system to be running FatFs R0.16 or earlier compiled with exFAT support enabled - FAT32/FAT16/FAT12-only builds are not affected by this code path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.6 Medium correctly reflects the Physical attack vector (AV:P), constraining the standard exploitation path to an attacker who can insert a crafted storage medium into the target device. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts an exFAT volume image with the `n_fatent` field set to exactly 2 in the volume metadata, causing the sync logic's `n_fatent - 2` divisor to evaluate to zero. In the physical-vector case, the attacker inserts a USB drive or SD card containing this image into an affected embedded device; in deployments with network-accessible OTA update pipelines, the crafted image is delivered remotely. … |
| Remediation | The primary fix is to upgrade to a patched FatFs release once published by ChaN; as of this analysis, no confirmed fixed release version is available from the referenced data - the upstream project page at https://elm-chan.org/fsw/ff/ must be monitored for a new release. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Stack-based buffer overflow in FatFs R0.16 and earlier allows an attacker who can present crafted exFAT media to corrupt
Buffer overflow in FatFs R0.16 and earlier arises when long filenames (up to 255 characters, enabled via FF_USE_LFN) ret
Integer overflow in ELM-Chan FatFS R0.16 and earlier lets a crafted FAT32 volume corrupt file-size metadata during mount
Integer underflow in FatFs R0.16 and earlier corrupts filesystem integrity via a stale dirty-cache skip during interleav
Unbounded mount-time loop in FatFs prior to R0.16 allows physical attackers to cause a denial of service by presenting a
Uninitialized cluster exposure in FatFs R0.16 and earlier allows recovery of residual disk data when f_lseek() extends a
Same weakness CWE-369 – Divide By Zero
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40993
GHSA-74cg-p8q3-4c3q