FatFS FAT32 integer overflow in mount_volume()

|
Updated
Vendors ChaN
Products
FatFs
  • FatFs
Related

Executive summary #

CVE-2026-6682 affects ChaN's FatFs R0.16 and earlier. The issue is a FAT32 integer overflow in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.

Identified downstream projects include Espressif IoT Development Framework, STMicroelectronics Middleware FatFS MCU, ArduPilot, RIOT OS, Arm Limited Mbed, YANSSIE HK LIMITED Keystone3 Firmware, Bionic Avionics Inc. FlySight Firmware, and Damien P. George's MicroPython.

Technical details #

The vulnerable arithmetic occurs during FAT32 mount processing:

fasize = ld_32(win + BPB_FATSz32);
fs->n_fats = fs->win[BPB_NumFATs];
fasize *= fs->n_fats;  <i>/* overflow point */</i>

With crafted values such as BPB_FATSz32 = 0x80000001 and NumFATs = 2, the 32-bit multiply wraps. The truncated result shifts fs->database into attacker-controlled FAT space. As a result, values consumed by f_stat()/f_readdir() can be forged, including finfo.fsize. Many downstream applications then do the classic vulnerable pattern:

FILINFO finfo;
f_stat("0:/firmware.bin", &finfo);
f_read(&fp, buf, finfo.fsize, &br);  <i>/* unbounded by sizeof(buf) */</i>

Because finfo.fsize is attacker-influenced under this condition, the final f_read() count can overflow stack or heap buffers, yielding memory corruption and plausible code execution on embedded targets.

For more details, see https://github.com/runZeroInc/vulns-2026-fatfs-chance

Attacker value #

An attacker with control of a mounted FAT image (evil SD card, removable media swap, or OTA container mounted before full verification) can turn trusted file-size metadata into a memory-corruption primitive. This enables targeted denial of service and, in favorable layouts, code execution.

Downstream impact is broad: Espressif IoT Development Framework and STMicroelectronics Middleware FatFS MCU-derived products are especially high-value due to ecosystem size; MicroPython-, ArduPilot-, RIOT OS-, and Arm Limited Mbed-based deployments are also exposed where file sizes are trusted in read paths.

Credit #

Discovered by HD Moore, CVE coordination by Tod Beardsley, both of runZero, Inc.

Timeline #

  • 2026-03-17 (Tue): Initial findings discovered and documented
  • 2026-04-20 (Mon): CVE IDs reserved
  • 2026-04-20 (Mon): Initial outreach to the provider, ChaN (no response)
  • 2026-04-27 (Mon): Outreach to JPCERT/CC for coordination help (TN: JPCERT#96 280429)
  • 2026-04-28 (Tue): JPCERT/CC outreach to the provider in Japanese (no response after three attempts)
  • 2026-05-14 (Wed): Outreach to a major downstream implementor upon JPCERT/CC recommendation (responded, but unwilling to receive full details)
  • 2026-06-18 (Thu): Updated JPCERT/CC and downstream vendor with a date change to Jul 1 for disclosure
  • 2026-07-01 (Wed): Public disclosure of CVE-2026-6682

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!. Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.