FatFS GPT partition-scan loop DoS (pre-R0.16)

|
Updated
Vendors ChaN
Products
FatFs
  • FatFs
Related

Executive summary #

CVE-2026-6684 affects ChaN's FatFs prior to R0.16 that use GPT scanning with FF_LBA64 = 1. The issue is an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.

Identified downstream projects include Rene Stange Circle, Adafruit Industries TinyUF2 (where older snapshots are bundled), Eugene Tarassov's Vivado RISC-V, and other pre-R0.16 integrations with LBA64 enabled.

Technical details #

In vulnerable versions, GPT partition scanning trusts on-disk partition-entry count without hard caps:

n_ent = ld_dword(buf + GPTH_PtNum);
for (i = 0; i < n_ent; i++) {
    if (disk_read(...) != RES_OK) break;
}

A crafted GPT image with GPTH_PtNum = 0xFFFFFFFF drives massive read loops before failure, hanging mount and often blocking boot/service startup. On watchdog-less targets this can act as a persistent boot denial condition.

FatFs R0.16 added test_gpt_header() checks (including partition-count and CRC validation) to bound this behavior, but vendored legacy trees remain exposed.

For more details, see https://github.com/runZeroInc/vulns-2026-fatfs-chance

Attacker value #

This vulnerability gives an attacker a low-complexity boot-time denial primitive through crafted removable storage. In bare-metal and bootloader contexts, it can keep devices non-functional until media is replaced or firmware is recovered.

Downstream risk is concentrated in projects shipping older FatFs snapshots in firmware/boot components, including Rene Stange Circle, Eugene Tarassov Vivado RISC-V, and Adafruit Industries / Ha Thach TinyUF2-based products where update lag is common.

Credit #

Discovered by HD Moore, CVE coordination by Tod Beardsley, both of runZero, Inc.

Timeline #

  • 2026-03-17 (Tue): Initial findings discovered and documented
  • 2026-04-20 (Mon): CVE IDs reserved
  • 2026-04-20 (Mon): Initial outreach to the provider, ChaN (no response)
  • 2026-04-27 (Mon): Outreach to JPCERT/CC for coordination help (TN: JPCERT#96 280429)
  • 2026-04-28 (Tue): JPCERT/CC outreach to the provider in Japanese (no response after three attempts)
  • 2026-05-14 (Wed): Outreach to a major downstream implementor upon JPCERT/CC recommendation (responded, but unwilling to receive full details)
  • 2026-06-18 (Thu): Updated JPCERT/CC and downstream vendor with a date change to Jul 1 for disclosure
  • 2026-07-01 (Wed): Public disclosure of CVE-2026-6682

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!. Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.