Skip to main content

FatFs CVE-2026-6688

| EUVDEUVD-2026-41000 HIGH
Classic Buffer Overflow (CWE-120)
2026-07-01 runZero GHSA-8vm2-mjff-2gg2
7.6
CVSS 3.1 · Vendor: runZero
Share

Severity by source

Vendor (runZero) PRIMARY
7.6 HIGH
AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
6.8 MEDIUM

Physical media required (AV:P), no auth for parsing (PR:N); overflow stays within one process so S:U not S:C; memory corruption yields full C/I/A impact.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorVendor: runZero

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 14:51 vuln.today

DescriptionCVE.org

FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.

AnalysisAI

Buffer overflow in FatFs R0.16 and earlier arises when long filenames (up to 255 characters, enabled via FF_USE_LFN) returned in fno.fname are copied by downstream callers into short fixed-size buffers without bounds checks, corrupting memory in the embedded application. Reported by runZero, this is a downstream-caller (CWE-120) pattern affecting integrations of the popular ChaN FatFs embedded filesystem library rather than a defect in FatFs core parsing itself. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft FAT volume with 255-char LFN
Delivery
Physically insert media into device
Exploit
FatFs enumerates directory, returns long fname
Execution
Downstream caller copies into short buffer
Persist
Buffer overflow corrupts adjacent memory
Impact
Crash device or execute code

Vulnerability AssessmentAI

Exploitation Requires the attacker to physically supply a crafted FAT/exFAT volume (e.g., malicious USB or SD card) containing a directory entry with a long filename up to 255 characters, the target to be built with FatFs long filename support enabled (FF_USE_LFN), and a downstream caller that copies FILINFO.fname into an undersized fixed buffer without a bounds check. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should not be overstated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker formats a USB stick or SD card as FAT with a directory entry whose long filename approaches 255 characters, then physically inserts it into a target embedded device that enumerates the media using FatFs with LFN enabled. When the device's application copies the returned fname into a short fixed buffer, the overflow corrupts adjacent memory, enabling denial of service or potential code execution; a proof-of-concept demonstrating the pattern is published by runZero.
Remediation No vendor-released patched version was identified at time of analysis, so remediation centers on hardening the integration: audit every caller of f_readdir/f_stat/FILINFO.fname and replace unchecked copies with bounded operations (strncpy/snprintf/memcpy sized to the destination and validated against FF_LFN_BUF/FF_MAX_LFN), which is the definitive fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all products and embedded systems using FatFs R0.16 or earlier with FF_USE_LFN enabled; assess physical security controls around affected devices. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6688 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy