Products
| Product | |
| 1 | FatFs |
CVE
CVE-2026-6684Executive summary #
CVE-2026-6684 affects ChaN's FatFs prior to R0.16 that use GPT scanning with FF_LBA64 = 1. The issue is an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Identified downstream projects include Rene Stange Circle, Adafruit Industries TinyUF2 (where older snapshots are bundled), Eugene Tarassov's Vivado RISC-V, and other pre-R0.16 integrations with LBA64 enabled.
Technical details #
In vulnerable versions, GPT partition scanning trusts on-disk partition-entry count without hard caps:
n_ent = ld_dword(buf + GPTH_PtNum);
for (i = 0; i < n_ent; i++) {
if (disk_read(...) != RES_OK) break;
}
A crafted GPT image with GPTH_PtNum = 0xFFFFFFFF drives massive read loops before failure, hanging mount and often blocking boot/service startup. On watchdog-less targets this can act as a persistent boot denial condition.
FatFs R0.16 added test_gpt_header() checks (including partition-count and CRC validation) to bound this behavior, but vendored legacy trees remain exposed.
For more details, see https://github.com/runZeroInc/vulns-2026-fatfs-chance
Attacker value #
This vulnerability gives an attacker a low-complexity boot-time denial primitive through crafted removable storage. In bare-metal and bootloader contexts, it can keep devices non-functional until media is replaced or firmware is recovered.
Downstream risk is concentrated in projects shipping older FatFs snapshots in firmware/boot components, including Rene Stange Circle, Eugene Tarassov Vivado RISC-V, and Adafruit Industries / Ha Thach TinyUF2-based products where update lag is common.
Credit #
Discovered by HD Moore, CVE coordination by Tod Beardsley, both of runZero, Inc.
Timeline #
- 2026-03-17 (Tue): Initial findings discovered and documented
- 2026-04-20 (Mon): CVE IDs reserved
- 2026-04-20 (Mon): Initial outreach to the provider, ChaN (no response)
- 2026-04-27 (Mon): Outreach to JPCERT/CC for coordination help (TN: JPCERT#96 280429)
- 2026-04-28 (Tue): JPCERT/CC outreach to the provider in Japanese (no response after three attempts)
- 2026-05-14 (Wed): Outreach to a major downstream implementor upon JPCERT/CC recommendation (responded, but unwilling to receive full details)
- 2026-06-18 (Thu): Updated JPCERT/CC and downstream vendor with a date change to Jul 1 for disclosure
- 2026-07-01 (Wed): Public disclosure of CVE-2026-6682