Skip to main content

FatFs CVE-2026-6684

| EUVDEUVD-2026-40994 MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-07-01 runZero GHSA-vhc7-qgwj-vx6v
4.6
CVSS 3.1 · Vendor: runZero
Share

Severity by source

Vendor (runZero) PRIMARY
4.6 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
4.6 MEDIUM

Physical media insertion is required (AV:P); no privileges or user interaction needed; only availability is impacted (A:H) via mount-time hang with no data exposure.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:P/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorVendor: runZero

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 14:55 vuln.today

DescriptionCVE.org

FatFs prior to R0.16 that use GPT scanning with 'FF_LBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.

AnalysisAI

Unbounded mount-time loop in FatFs prior to R0.16 allows physical attackers to cause a denial of service by presenting a crafted GPT disk image with an arbitrarily large GPTH_PtNum partition count field. The flaw is present only in builds where the FF_LBA64 = 1 compile-time flag is set, enabling 64-bit LBA and GPT scanning support. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain physical device access
Delivery
Insert crafted GPT disk image with inflated GPTH_PtNum
Exploit
FatFs reads unbounded partition count from GPT header
Execution
Mount loop iterates indefinitely
Impact
Device availability permanently disrupted until reboot

Vulnerability AssessmentAI

Exploitation Exploitation requires physical access to the target device (AV:P) sufficient to insert removable storage media such as an SD card or USB drive. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS physical attack vector (AV:P) is the dominant risk-limiting factor: an attacker must physically insert crafted removable media - an SD card, USB storage device, or similar - into the target device to trigger the flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with physical access to an embedded device - such as an industrial controller or kiosk - inserts a crafted SD card containing a GPT disk image where GPTH_PtNum is set to 0xFFFFFFFF. When the device attempts to automount the media, FatFs compiled with FF_LBA64 = 1 enters an effectively infinite partition-scanning loop, permanently hanging the mount thread and rendering the device unavailable until power-cycled. …
Remediation Upgrade FatFs to R0.16 or later, which is the vendor-designated patched release resolving the unbounded GPTH_PtNum loop; source is available at https://elm-chan.org/fsw/ff/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6684 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy