Products
| Product | |
| 1 | FatFs |
CVE
CVE-2026-6682Executive summary #
CVE-2026-6682 affects ChaN's FatFs R0.16 and earlier. The issue is a FAT32 integer overflow in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Identified downstream projects include Espressif IoT Development Framework, STMicroelectronics Middleware FatFS MCU, ArduPilot, RIOT OS, Arm Limited Mbed, YANSSIE HK LIMITED Keystone3 Firmware, Bionic Avionics Inc. FlySight Firmware, and Damien P. George's MicroPython.
Technical details #
The vulnerable arithmetic occurs during FAT32 mount processing:
fasize = ld_32(win + BPB_FATSz32);
fs->n_fats = fs->win[BPB_NumFATs];
fasize *= fs->n_fats; <i>/* overflow point */</i>
With crafted values such as BPB_FATSz32 = 0x80000001 and NumFATs = 2, the 32-bit multiply wraps. The truncated result shifts fs->database into attacker-controlled FAT space. As a result, values consumed by f_stat()/f_readdir() can be forged, including finfo.fsize. Many downstream applications then do the classic vulnerable pattern:
FILINFO finfo;
f_stat("0:/firmware.bin", &finfo);
f_read(&fp, buf, finfo.fsize, &br); <i>/* unbounded by sizeof(buf) */</i>
Because finfo.fsize is attacker-influenced under this condition, the final f_read() count can overflow stack or heap buffers, yielding memory corruption and plausible code execution on embedded targets.
For more details, see https://github.com/runZeroInc/vulns-2026-fatfs-chance
Attacker value #
An attacker with control of a mounted FAT image (evil SD card, removable media swap, or OTA container mounted before full verification) can turn trusted file-size metadata into a memory-corruption primitive. This enables targeted denial of service and, in favorable layouts, code execution.
Downstream impact is broad: Espressif IoT Development Framework and STMicroelectronics Middleware FatFS MCU-derived products are especially high-value due to ecosystem size; MicroPython-, ArduPilot-, RIOT OS-, and Arm Limited Mbed-based deployments are also exposed where file sizes are trusted in read paths.
Credit #
Discovered by HD Moore, CVE coordination by Tod Beardsley, both of runZero, Inc.
Timeline #
- 2026-03-17 (Tue): Initial findings discovered and documented
- 2026-04-20 (Mon): CVE IDs reserved
- 2026-04-20 (Mon): Initial outreach to the provider, ChaN (no response)
- 2026-04-27 (Mon): Outreach to JPCERT/CC for coordination help (TN: JPCERT#96 280429)
- 2026-04-28 (Tue): JPCERT/CC outreach to the provider in Japanese (no response after three attempts)
- 2026-05-14 (Wed): Outreach to a major downstream implementor upon JPCERT/CC recommendation (responded, but unwilling to receive full details)
- 2026-06-18 (Thu): Updated JPCERT/CC and downstream vendor with a date change to Jul 1 for disclosure
- 2026-07-01 (Wed): Public disclosure of CVE-2026-6682