Skip to main content

FatFS EUVDEUVD-2026-40992

| CVE-2026-6682 HIGH
Integer Overflow or Wraparound (CWE-190)
2026-07-01 runZero GHSA-c25x-vcg6-4ccx
7.6
CVSS 3.1 · Vendor: runZero
Share

Severity by source

Vendor (runZero) PRIMARY
7.6 HIGH
AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
7.6 HIGH

Base trigger is mounting attacker-supplied media (AV:P), needing no auth or interaction (PR:N/UI:N); parser overflow crosses into downstream callers (S:C) with memory-corruption impact (C/I/A:H).

3.1 AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorVendor: runZero

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 14:52 vuln.today

DescriptionCVE.org

In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.

AnalysisAI

Integer overflow in ELM-Chan FatFS R0.16 and earlier lets a crafted FAT32 volume corrupt file-size metadata during mount_volume(), where fasize *= fs->n_fats wraps and produces attacker-controlled, oversized read lengths in downstream callers. The affected code is a widely embedded FAT filesystem library used across microcontrollers and IoT firmware, and while primarily triggered by mounting malicious media, the vendor notes remote delivery is feasible via OTA/update pipelines. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious FAT32 volume
Delivery
Deliver via removable media or OTA image
Exploit
Device mounts via mount_volume()
Execution
Integer overflow wraps FAT-area size
Persist
Corrupted read lengths cause out-of-bounds access
Impact
Memory disclosure or device compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to mount an attacker-crafted FAT32 volume through FatFS mount_volume() - specifically a filesystem image with manipulated BPB/FAT-count fields that force the FAT-area size multiplication to overflow. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, 7.6) indicates a physical attack vector with low complexity, no privileges, no user interaction, a scope change, and total confidentiality/integrity/availability impact - consistent with the SSVC assessment of Exploitation: PoC and Technical Impact: Total. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious FAT32 volume whose boot-sector fields force the `fasize *= fs->n_fats` computation to wrap, then gets a target embedded device to mount it - by inserting a prepared SD card/USB stick or, in a higher-exposure case, by supplying the crafted image through an OTA/firmware-update channel. When downstream code uses the corrupted, oversized file-size and read lengths, the attacker induces out-of-bounds reads/writes that can disclose memory or compromise the device. …
Remediation Upgrade the FatFS module to a release later than R0.16 that contains the fixed mount_volume() bounds handling; consult the upstream project at https://elm-chan.org/fsw/ff/ for the corrected source and the runZero advisory (https://www.runzero.com/advisories/fatfs-fat32-int-of-mnt-cve-2026-6682/) for details - no exact fixed release version was provided in the input, so treat the patched version as 'per vendor/upstream advisory' rather than an assumed number and confirm the specific commit before shipping. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct asset inventory to identify all systems and devices using ELM-Chan FatFS R0.16 or earlier, including microcontroller-based infrastructure and IoT hardware. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40992 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy