Skip to main content

FatFs CVE-2026-6686

| EUVDEUVD-2026-40998 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-07-01 runZero GHSA-h94p-vjqx-v7rr
4.6
CVSS 3.1 · Vendor: runZero
Share

Severity by source

Vendor (runZero) PRIMARY
4.6 MEDIUM
AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.6 MEDIUM

Physical access to storage is required to both trigger the f_lseek gap and read residual clusters; no authentication needed once access is obtained, with no integrity or availability impact.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorVendor: runZero

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 14:51 vuln.today

DescriptionCVE.org

FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.

AnalysisAI

Uninitialized cluster exposure in FatFs R0.16 and earlier allows recovery of residual disk data when f_lseek() extends a file beyond its current EOF without zeroing newly allocated FAT clusters. Any application or device reading the extended region receives raw, previously written sector content instead of zeroed bytes, leaking sensitive residual storage data such as deleted file fragments or cryptographic material. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain physical access to target device
Delivery
Remove or access FAT storage medium
Exploit
Trigger f_lseek() past current EOF
Execution
FatFs allocates unzeroed FAT clusters
Persist
Read extended file region from storage
Impact
Extract residual sector data

Vulnerability AssessmentAI

Exploitation Exploitation requires physical access to the device or its removable storage medium, as confirmed by CVSS AV:P. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS v3.1 vector AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N scores 4.6 Medium, and the physical attack vector (AV:P) is the dominant risk limiter - an adversary must have direct physical access to the storage medium or device to both trigger and read the cluster exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with physical access to a device running FatFs-based firmware - such as a field-deployed IoT sensor with a removable SD card - mounts the storage medium and triggers f_lseek() to seek a file handle past the current EOF, causing FatFs to allocate new FAT clusters without zeroing them. The attacker then reads the extended file region directly from the SD card using a standard FAT reader on a separate host, recovering residual sector content that may include previously deleted file fragments, cryptographic material, or sensitive configuration data. …
Remediation The primary fix is to upgrade to a version of FatFs released after R0.16 once the upstream maintainer elm-chan publishes a patched release; no confirmed fixed version number is available in the current input data, so the runZero advisory at https://www.runzero.com/advisories/fatfs-uninit-cluster-exposure-cve-2026-6686/ and the upstream distribution page at https://elm-chan.org/fsw/ff/ should be monitored for patch announcements. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6686 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy