Skip to main content

FatFs EUVDEUVD-2026-40999

| CVE-2026-6687 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-07-01 runZero GHSA-wghw-hg6m-7rh3
7.6
CVSS 3.1 · Vendor: runZero
Share

Severity by source

Vendor (runZero) PRIMARY
7.6 HIGH
AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
6.8 MEDIUM

Physical delivery of crafted exFAT media (AV:P), no auth or interaction (PR:N/UI:N); library runs in one context so S:U, with full memory-corruption impact yielding C/I/A:H.

3.1 AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (runZero).

CVSS VectorVendor: runZero

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 14:50 vuln.today

DescriptionCVE.org

FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.

AnalysisAI

Stack-based buffer overflow in FatFs R0.16 and earlier allows an attacker who can present crafted exFAT media to corrupt the stack via f_getlabel(), because the exFAT volume-label length field (XDIR_NumLabel) is trusted without enforcing the specification maximum. FatFs is an embedded FAT/exFAT filesystem library used across microcontroller and IoT firmware, so any device that mounts and reads the label of attacker-supplied storage is exposed. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft exFAT image with oversized label length
Delivery
Insert media into target device
Exploit
Device calls f_getlabel() on volume
Execution
Overflow fixed stack buffer
Persist
Overwrite saved return address
Impact
Execute attacker code or crash

Vulnerability AssessmentAI

Exploitation Exploitation requires the target to mount and read the volume label of an attacker-controlled exFAT filesystem image - the vulnerable path is f_getlabel() on an exFAT volume, so builds compiled without exFAT support (FF_FS_EXFAT disabled) are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS v3.1 vector (AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, 7.6 High) hinges on physical attack vector - the attacker must supply crafted exFAT media to the target, which sharply limits mass exploitation compared to a network-facing bug, so despite the High score real-world urgency is moderate and situational. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts an exFAT-formatted SD card or USB stick whose volume directory entry declares an oversized label length, then physically inserts it into a target device (kiosk, industrial controller, IoT appliance) that automatically reads the volume label via f_getlabel(). Parsing the malicious label overflows the stack buffer, corrupting the return address and enabling denial of service or arbitrary code execution on the embedded target. …
Remediation Upgrade FatFs to the fixed upstream release published after R0.16 from https://elm-chan.org/fsw/ff/ once available; the reference data does not name an exact patched version, so treat this as 'upstream fix available (advisory/commit); released patched version not independently confirmed' and pin to the specific corrected revision from the vendor page before rebuilding firmware. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems and firmware versions using FatFs library (check vendor documentation, firmware release notes, embedded device BOMs, and supply chain data). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40999 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy