Products
| Product | |
| 1 | FatFs |
CVE
CVE-2026-6688Executive summary #
CVE-2026-6688 is a downstream-caller vulnerability pattern associated with ChaN's FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Identified downstream projects include Zephyr RTOS, NodeMCU Firmware, Samsung TizenRT, Terje Io's grblHAL, Giovanni Di Sirio's ChibiOS examples, and Jiachi Zou's StarryPilot.
Technical details #
The root condition is straightforward: FatFs returns full LFN strings, and caller code assumes 8.3-sized destinations.
Common vulnerable examples include:
strcpy(entry->name, fno.fname); <i>/* short destination, long source */</i>
sprintf(path, "0:/%s", fno.fname); <i>/* path buffer overflow */</i>
sprintf(&cur_path[n], "/%s", fn); <i>/* unchecked append */</i>
In Zephyr specifically, directory-entry names sized for SFN usage (for example 14 bytes) can be overflowed by 241 bytes when presented with a 255-character LFN. In other projects, off-by-one cases or fixed-path buffers make even moderate LFN lengths exploitable.
Because this is in integration code rather than a single FatFs function, affected projects vary, but the pattern is common across embedded VFS wrappers and file browser implementations.
For more details, see https://github.com/runZeroInc/vulns-2026-fatfs-chance
Attacker value #
Attackers can transform routine directory traversal into stack/heap corruption by supplying crafted FAT media with long filenames. This can produce crashes, control-flow corruption, or code execution depending on target memory layout.
Downstream impact spans multiple ecosystems, including Zephyr RTOS-based IoT products, NodeMCU Firmware deployments, Samsung TizenRT devices, Terje Io grblHAL CNC workflows, and Jiachi Zou StarryPilot UAV firmware.
Credit #
Discovered by HD Moore, CVE coordination by Tod Beardsley, both of runZero, Inc.
Timeline #
- 2026-03-17 (Tue): Initial findings discovered and documented
- 2026-04-20 (Mon): CVE IDs reserved
- 2026-04-20 (Mon): Initial outreach to the provider, ChaN (no response)
- 2026-04-27 (Mon): Outreach to JPCERT/CC for coordination help (TN: JPCERT#96 280429)
- 2026-04-28 (Tue): JPCERT/CC outreach to the provider in Japanese (no response after three attempts)
- 2026-05-14 (Wed): Outreach to a major downstream implementor upon JPCERT/CC recommendation (responded, but unwilling to receive full details)
- 2026-06-18 (Thu): Updated JPCERT/CC and downstream vendor with a date change to Jul 1 for disclosure
- 2026-07-01 (Wed): Public disclosure of CVE-2026-6682