Skip to main content

Fatfs

7 CVEs product

Monthly

CVE-2026-6688 HIGH This Week

Buffer overflow in FatFs R0.16 and earlier arises when long filenames (up to 255 characters, enabled via FF_USE_LFN) returned in fno.fname are copied by downstream callers into short fixed-size buffers without bounds checks, corrupting memory in the embedded application. Reported by runZero, this is a downstream-caller (CWE-120) pattern affecting integrations of the popular ChaN FatFs embedded filesystem library rather than a defect in FatFs core parsing itself. Publicly available exploit code exists (SSVC Exploitation: PoC, runZero GitHub repo) with total technical impact, though the physical attack vector (AV:P) meaningfully constrains real-world reach; no CISA KEV listing.

Buffer Overflow Fatfs
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-6687 HIGH This Week

Stack-based buffer overflow in FatFs R0.16 and earlier allows an attacker who can present crafted exFAT media to corrupt the stack via f_getlabel(), because the exFAT volume-label length field (XDIR_NumLabel) is trusted without enforcing the specification maximum. FatFs is an embedded FAT/exFAT filesystem library used across microcontroller and IoT firmware, so any device that mounts and reads the label of attacker-supplied storage is exposed. Publicly available exploit code exists (runZero advisory and SSVC 'PoC'), but there is no public exploit identified in active use and it is not listed in CISA KEV.

Buffer Overflow Stack Overflow Fatfs
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.2%
CVE-2026-6686 MEDIUM This Month

Uninitialized cluster exposure in FatFs R0.16 and earlier allows recovery of residual disk data when f_lseek() extends a file beyond its current EOF without zeroing newly allocated FAT clusters. Any application or device reading the extended region receives raw, previously written sector content instead of zeroed bytes, leaking sensitive residual storage data such as deleted file fragments or cryptographic material. A proof-of-concept exploit exists per SSVC and runZero's GitHub repository; no active exploitation has been confirmed in CISA KEV.

Information Disclosure Fatfs
NVD GitHub VulDB
CVSS 3.1
4.6
EPSS
0.2%
CVE-2026-6685 MEDIUM This Month

Integer underflow in FatFs R0.16 and earlier corrupts filesystem integrity via a stale dirty-cache skip during interleaved read/write operations on fragmented volumes. The condition `fp->sect - sect < cc` in f_read() and f_write() uses unsigned arithmetic - when `sect` exceeds `fp->sect`, the subtraction wraps to a large unsigned value, bypassing the required cache flush and leaving stale or inconsistent data on disk. A proof-of-concept exists per SSVC assessment, and technical impact is rated Total, though physical access is required per the CVSS vector. No confirmed active exploitation (not in CISA KEV).

Integer Overflow Information Disclosure Fatfs
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-6684 MEDIUM This Month

Unbounded mount-time loop in FatFs prior to R0.16 allows physical attackers to cause a denial of service by presenting a crafted GPT disk image with an arbitrarily large GPTH_PtNum partition count field. The flaw is present only in builds where the FF_LBA64 = 1 compile-time flag is set, enabling 64-bit LBA and GPT scanning support. A public proof-of-concept is available from runZero; no confirmed active exploitation (CISA KEV) has been observed, and SSVC categorizes technical impact as partial, limited to availability.

Denial Of Service Fatfs
NVD GitHub
CVSS 3.1
4.6
EPSS
0.2%
CVE-2026-6683 MEDIUM This Month

Divide-by-zero in FatFs R0.16 and earlier's exFAT sync logic crashes the filesystem when crafted volume metadata causes the expression `n_fatent - 2` to evaluate to zero during write/sync operations, resulting in a hard fault or denial of service on the affected embedded device. The elm-chan FatFs library is widely bundled into microcontroller SDKs and IoT firmware, meaning the vulnerable code exists across a broad range of downstream products compiled with exFAT support. A proof-of-concept exists per SSVC assessment; no confirmed active exploitation (CISA KEV) has been recorded, and the physical attack vector limits mass exploitation, though network-accessible firmware update pipelines can extend effective reach.

Information Disclosure Fatfs
NVD GitHub
CVSS 3.1
4.6
EPSS
0.2%
CVE-2026-6682 HIGH This Week

Integer overflow in ELM-Chan FatFS R0.16 and earlier lets a crafted FAT32 volume corrupt file-size metadata during mount_volume(), where `fasize *= fs->n_fats` wraps and produces attacker-controlled, oversized read lengths in downstream callers. The affected code is a widely embedded FAT filesystem library used across microcontrollers and IoT firmware, and while primarily triggered by mounting malicious media, the vendor notes remote delivery is feasible via OTA/update pipelines. Publicly available exploit code exists (runZero research and proof-of-concept repository); no public exploit identified as actively used and it is not listed in CISA KEV.

Integer Overflow Buffer Overflow Fatfs
NVD GitHub VulDB
CVSS 3.1
7.6
EPSS
0.2%
EPSS 0% CVSS 7.6
HIGH This Week

Buffer overflow in FatFs R0.16 and earlier arises when long filenames (up to 255 characters, enabled via FF_USE_LFN) returned in fno.fname are copied by downstream callers into short fixed-size buffers without bounds checks, corrupting memory in the embedded application. Reported by runZero, this is a downstream-caller (CWE-120) pattern affecting integrations of the popular ChaN FatFs embedded filesystem library rather than a defect in FatFs core parsing itself. Publicly available exploit code exists (SSVC Exploitation: PoC, runZero GitHub repo) with total technical impact, though the physical attack vector (AV:P) meaningfully constrains real-world reach; no CISA KEV listing.

Buffer Overflow Fatfs
NVD GitHub VulDB
EPSS 0% CVSS 7.6
HIGH This Week

Stack-based buffer overflow in FatFs R0.16 and earlier allows an attacker who can present crafted exFAT media to corrupt the stack via f_getlabel(), because the exFAT volume-label length field (XDIR_NumLabel) is trusted without enforcing the specification maximum. FatFs is an embedded FAT/exFAT filesystem library used across microcontroller and IoT firmware, so any device that mounts and reads the label of attacker-supplied storage is exposed. Publicly available exploit code exists (runZero advisory and SSVC 'PoC'), but there is no public exploit identified in active use and it is not listed in CISA KEV.

Buffer Overflow Stack Overflow Fatfs
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Uninitialized cluster exposure in FatFs R0.16 and earlier allows recovery of residual disk data when f_lseek() extends a file beyond its current EOF without zeroing newly allocated FAT clusters. Any application or device reading the extended region receives raw, previously written sector content instead of zeroed bytes, leaking sensitive residual storage data such as deleted file fragments or cryptographic material. A proof-of-concept exploit exists per SSVC and runZero's GitHub repository; no active exploitation has been confirmed in CISA KEV.

Information Disclosure Fatfs
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM This Month

Integer underflow in FatFs R0.16 and earlier corrupts filesystem integrity via a stale dirty-cache skip during interleaved read/write operations on fragmented volumes. The condition `fp->sect - sect < cc` in f_read() and f_write() uses unsigned arithmetic - when `sect` exceeds `fp->sect`, the subtraction wraps to a large unsigned value, bypassing the required cache flush and leaving stale or inconsistent data on disk. A proof-of-concept exists per SSVC assessment, and technical impact is rated Total, though physical access is required per the CVSS vector. No confirmed active exploitation (not in CISA KEV).

Integer Overflow Information Disclosure Fatfs
NVD GitHub VulDB
EPSS 0% CVSS 4.6
MEDIUM This Month

Unbounded mount-time loop in FatFs prior to R0.16 allows physical attackers to cause a denial of service by presenting a crafted GPT disk image with an arbitrarily large GPTH_PtNum partition count field. The flaw is present only in builds where the FF_LBA64 = 1 compile-time flag is set, enabling 64-bit LBA and GPT scanning support. A public proof-of-concept is available from runZero; no confirmed active exploitation (CISA KEV) has been observed, and SSVC categorizes technical impact as partial, limited to availability.

Denial Of Service Fatfs
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM This Month

Divide-by-zero in FatFs R0.16 and earlier's exFAT sync logic crashes the filesystem when crafted volume metadata causes the expression `n_fatent - 2` to evaluate to zero during write/sync operations, resulting in a hard fault or denial of service on the affected embedded device. The elm-chan FatFs library is widely bundled into microcontroller SDKs and IoT firmware, meaning the vulnerable code exists across a broad range of downstream products compiled with exFAT support. A proof-of-concept exists per SSVC assessment; no confirmed active exploitation (CISA KEV) has been recorded, and the physical attack vector limits mass exploitation, though network-accessible firmware update pipelines can extend effective reach.

Information Disclosure Fatfs
NVD GitHub
EPSS 0% CVSS 7.6
HIGH This Week

Integer overflow in ELM-Chan FatFS R0.16 and earlier lets a crafted FAT32 volume corrupt file-size metadata during mount_volume(), where `fasize *= fs->n_fats` wraps and produces attacker-controlled, oversized read lengths in downstream callers. The affected code is a widely embedded FAT filesystem library used across microcontrollers and IoT firmware, and while primarily triggered by mounting malicious media, the vendor notes remote delivery is feasible via OTA/update pipelines. Publicly available exploit code exists (runZero research and proof-of-concept repository); no public exploit identified as actively used and it is not listed in CISA KEV.

Integer Overflow Buffer Overflow Fatfs
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy