Products
| Product | |
| 1 | FatFs |
CVE
CVE-2026-6683Executive summary #
CVE-2026-6683 affects ChaN's FatFs R0.16 and earlier. The flaw is a divide-by-zero in exFAT sync logic when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Identified downstream projects include STMicroelectronics Middleware FatFS MCU, Zephyr Project Zephyr RTOS, ArduPilot, RT-Thread, RIOT OS, Arm Limited Mbed, Samsung TizenRT, Damien P. George's MicroPython, Edy555's NanoVNA, and Stefano Babic's SWUpdate.
Technical details #
The exFAT free-space accounting path performs arithmetic that assumes a non-zero divisor:
<i>/* representative expression in sync path */</i>
(n_fatent - 2 - free_clst) * 100 / (n_fatent - 2)
When a crafted exFAT volume sets BPB_NumClusEx = 0, the computed cluster domain collapses to n_fatent = 2, making (n_fatent - 2) == 0. Any write, sync, or close path that reaches sync_fs() can fault (SIGFPE/hard fault), causing immediate crash.
Typical trigger sequence:
f_mount(&fs, "0:", 1);
f_open(&fp, "0:/x", FA_WRITE | FA_CREATE_ALWAYS);
f_write(&fp, "A", 1, &bw);
f_close(&fp); <i>/* sync path triggers divide-by-zero */</i>
R0.16 has partial mount-time guards in some paths, but the core arithmetic defect remains a concern for older and downstream-vendored trees.
For more details, see https://github.com/runZeroInc/vulns-2026-fatfs-chance
Attacker value #
An attacker can reliably crash systems that write to crafted exFAT media. In embedded products this can become persistent operational denial of service, and in OTA/update workflows can produce mid-update failure or bricking behavior.
High-value downstream exposure includes Zephyr Project Zephyr RTOS-, RT-Thread-, STMicroelectronics Middleware FatFS MCU-, ArduPilot-, and Arm Limited Mbed-based systems that mount untrusted or semi-trusted removable media.
Credit #
Discovered by HD Moore, CVE coordination by Tod Beardsley, both of runZero, Inc.
Timeline #
- 2026-03-17 (Tue): Initial findings discovered and documented
- 2026-04-20 (Mon): CVE IDs reserved
- 2026-04-20 (Mon): Initial outreach to the provider, ChaN (no response)
- 2026-04-27 (Mon): Outreach to JPCERT/CC for coordination help (TN: JPCERT#96 280429)
- 2026-04-28 (Tue): JPCERT/CC outreach to the provider in Japanese (no response after three attempts)
- 2026-05-14 (Wed): Outreach to a major downstream implementor upon JPCERT/CC recommendation (responded, but unwilling to receive full details)
- 2026-06-18 (Thu): Updated JPCERT/CC and downstream vendor with a date change to Jul 1 for disclosure
- 2026-07-01 (Wed): Public disclosure of CVE-2026-6682