FatFS long filename overflow in downstream callers

|
Updated
Vendors ChaN
Products
FatFs
  • FatFs
Related

Executive summary #

CVE-2026-6688 is a downstream-caller vulnerability pattern associated with ChaN's FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.

Identified downstream projects include Zephyr RTOS, NodeMCU Firmware, Samsung TizenRT, Terje Io's grblHAL, Giovanni Di Sirio's ChibiOS examples, and Jiachi Zou's StarryPilot.

Technical details #

The root condition is straightforward: FatFs returns full LFN strings, and caller code assumes 8.3-sized destinations.

Common vulnerable examples include:

strcpy(entry->name, fno.fname);          <i>/* short destination, long source */</i>
sprintf(path, "0:/%s", fno.fname);      <i>/* path buffer overflow */</i>
sprintf(&cur_path[n], "/%s", fn);       <i>/* unchecked append */</i>

In Zephyr specifically, directory-entry names sized for SFN usage (for example 14 bytes) can be overflowed by 241 bytes when presented with a 255-character LFN. In other projects, off-by-one cases or fixed-path buffers make even moderate LFN lengths exploitable.

Because this is in integration code rather than a single FatFs function, affected projects vary, but the pattern is common across embedded VFS wrappers and file browser implementations.

For more details, see https://github.com/runZeroInc/vulns-2026-fatfs-chance

Attacker value #

Attackers can transform routine directory traversal into stack/heap corruption by supplying crafted FAT media with long filenames. This can produce crashes, control-flow corruption, or code execution depending on target memory layout.

Downstream impact spans multiple ecosystems, including Zephyr RTOS-based IoT products, NodeMCU Firmware deployments, Samsung TizenRT devices, Terje Io grblHAL CNC workflows, and Jiachi Zou StarryPilot UAV firmware.

Credit #

Discovered by HD Moore, CVE coordination by Tod Beardsley, both of runZero, Inc.

Timeline #

  • 2026-03-17 (Tue): Initial findings discovered and documented
  • 2026-04-20 (Mon): CVE IDs reserved
  • 2026-04-20 (Mon): Initial outreach to the provider, ChaN (no response)
  • 2026-04-27 (Mon): Outreach to JPCERT/CC for coordination help (TN: JPCERT#96 280429)
  • 2026-04-28 (Tue): JPCERT/CC outreach to the provider in Japanese (no response after three attempts)
  • 2026-05-14 (Wed): Outreach to a major downstream implementor upon JPCERT/CC recommendation (responded, but unwilling to receive full details)
  • 2026-06-18 (Thu): Updated JPCERT/CC and downstream vendor with a date change to Jul 1 for disclosure
  • 2026-07-01 (Wed): Public disclosure of CVE-2026-6682

Written by todb

Tod Beardsley is VP of Security Research at runZero, where he "kicks assets and fakes frames." Prior to 2025, he was the Section Chief for the Vulnerability Response section for CSD/VM/VRC at CISA, the Cybersecurity and Infrastructure Security Agency, part of the US government, and a seasonal Travis County Election Judge in Texas. He's also a founder and CNA point of contact for AHA!. Tod spends much of his time involved in vulnerability research and coordinated vulnerability disclosure (CVD). He has over 30 years of hands-on security experience, stretching from in-band telephony switching to modern ICS/OT implementations. He has held IT ops, security, software engineering, and management positions in large organizations such as the US Government, Rapid7, 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Tod is a CVE Board member, has authored several research papers, and is an internationally-tolerated horror fiction expert.

More about todb
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.