FatFs exFAT divide-by-zero in sync/write paths

|
Updated
Vendors ChaN
Products
FatFs
  • FatFs
Related

Executive summary #

CVE-2026-6683 affects ChaN's FatFs R0.16 and earlier. The flaw is a divide-by-zero in exFAT sync logic when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.

Identified downstream projects include STMicroelectronics Middleware FatFS MCU, Zephyr Project Zephyr RTOS, ArduPilot, RT-Thread, RIOT OS, Arm Limited Mbed, Samsung TizenRT, Damien P. George's MicroPython, Edy555's NanoVNA, and Stefano Babic's SWUpdate.

Technical details #

The exFAT free-space accounting path performs arithmetic that assumes a non-zero divisor:

<i>/* representative expression in sync path */</i>
(n_fatent - 2 - free_clst) * 100 / (n_fatent - 2)

When a crafted exFAT volume sets BPB_NumClusEx = 0, the computed cluster domain collapses to n_fatent = 2, making (n_fatent - 2) == 0. Any write, sync, or close path that reaches sync_fs() can fault (SIGFPE/hard fault), causing immediate crash.

Typical trigger sequence:

f_mount(&fs, "0:", 1);
f_open(&fp, "0:/x", FA_WRITE | FA_CREATE_ALWAYS);
f_write(&fp, "A", 1, &bw);
f_close(&fp);  <i>/* sync path triggers divide-by-zero */</i>

R0.16 has partial mount-time guards in some paths, but the core arithmetic defect remains a concern for older and downstream-vendored trees.

For more details, see https://github.com/runZeroInc/vulns-2026-fatfs-chance

Attacker value #

An attacker can reliably crash systems that write to crafted exFAT media. In embedded products this can become persistent operational denial of service, and in OTA/update workflows can produce mid-update failure or bricking behavior.

High-value downstream exposure includes Zephyr Project Zephyr RTOS-, RT-Thread-, STMicroelectronics Middleware FatFS MCU-, ArduPilot-, and Arm Limited Mbed-based systems that mount untrusted or semi-trusted removable media.

Credit #

Discovered by HD Moore, CVE coordination by Tod Beardsley, both of runZero, Inc.

Timeline #

  • 2026-03-17 (Tue): Initial findings discovered and documented
  • 2026-04-20 (Mon): CVE IDs reserved
  • 2026-04-20 (Mon): Initial outreach to the provider, ChaN (no response)
  • 2026-04-27 (Mon): Outreach to JPCERT/CC for coordination help (TN: JPCERT#96 280429)
  • 2026-04-28 (Tue): JPCERT/CC outreach to the provider in Japanese (no response after three attempts)
  • 2026-05-14 (Wed): Outreach to a major downstream implementor upon JPCERT/CC recommendation (responded, but unwilling to receive full details)
  • 2026-06-18 (Thu): Updated JPCERT/CC and downstream vendor with a date change to Jul 1 for disclosure
  • 2026-07-01 (Wed): Public disclosure of CVE-2026-6682

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!. Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.