Skip to main content

FatFs CVE-2026-6685

| EUVDEUVD-2026-40996 MEDIUM
Integer Underflow (CWE-191)
2026-07-01 runZero GHSA-rggj-rv54-4gvx
6.1
CVSS 3.1 · Vendor: runZero
Share

Severity by source

Vendor (runZero) PRIMARY
6.1 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
6.1 MEDIUM

Physical access required per embedded context; no privileges needed; integrity and availability fully impacted; no confidentiality exposure from cache-skip bug.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorVendor: runZero

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 14:54 vuln.today

DescriptionCVE.org

FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp->sect - sect < cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.

AnalysisAI

Integer underflow in FatFs R0.16 and earlier corrupts filesystem integrity via a stale dirty-cache skip during interleaved read/write operations on fragmented volumes. The condition fp->sect - sect < cc in f_read() and f_write() uses unsigned arithmetic - when sect exceeds fp->sect, the subtraction wraps to a large unsigned value, bypassing the required cache flush and leaving stale or inconsistent data on disk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain physical device access
Delivery
Mount or present fragmented FAT volume
Exploit
Trigger interleaved f_read/f_write on same file object
Execution
Unsigned subtraction wraps in sector comparison
Persist
Dirty cache flush skipped
Impact
Stale or corrupted data written to persistent storage

Vulnerability AssessmentAI

Exploitation Physical access to the target device is required (AV:P per CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H, score 6.1 Medium) indicates physical access is required, which substantially limits the realistic threat surface compared to network-exploitable vulnerabilities of similar CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An adversary with physical access to an embedded device (such as an industrial controller or IoT appliance) running firmware that uses FatFs mounts or interacts with a fragmented FAT volume - such as an SD card written across multiple non-contiguous clusters. By triggering a workload that interleaves f_read() and f_write() calls on the same file object across sector boundaries that cause unsigned wrap, the attacker causes the dirty-cache flush to be skipped, leaving inconsistent or attacker-influenced data persisted to disk instead of the correct content. …
Remediation No vendor-released patched version has been independently confirmed in the available data - the fix version is not cited in any reference. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6685 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy