Products
| Product | |
| 1 | FatFs |
CVE
CVE-2026-6686Executive summary #
CVE-2026-6686 affects ChaN's FatFs R0.16 and earlier. The issue is uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Identified downstream projects include STMicroelectronics Middleware FatFS MCU, RT-Thread, ArduPilot, RIOT OS, Arm Limited Mbed, and Adafruit Industries TinyUF2.
Technical details #
The extension path updates logical size but does not clear newly allocated storage:
if (!FF_FS_READONLY && fp->fptr > fp->obj.objsize) {
fp->obj.objsize = fp->fptr; <i>/* extends file */</i>
fp->flag |= FA_MODIFIED; <i>/* no zero-fill of new clusters */</i>
}
If sectors previously contained deleted-file data, that stale content becomes readable through the extended region. This violates expected zero-initialization semantics and enables passive data recovery by less-privileged readers.
Representative trigger:
f_open(&fp, "0:/log.bin", FA_WRITE | FA_CREATE_ALWAYS);
f_lseek(&fp, LARGE_SIZE); <i>/* cluster chain grows */</i>
f_close(&fp);
<i>/* later read exposes old cluster content in unwritten range */</i>
For more details, see https://github.com/runZeroInc/vulns-2026-fatfs-chance
Attacker value #
This vulnerability enables information disclosure, including remnants of deleted firmware chunks, logs, keys, or other sensitive material left in recycled clusters. It is particularly valuable on shared media and update partitions where privilege boundaries are weak.
Downstream systems at risk include RT-Thread and STMicroelectronics Middleware FatFS MCU deployments that use preallocation patterns, plus embedded update flows using FAT-backed staging areas.
Credit #
Discovered by HD Moore, CVE coordination by Tod Beardsley, both of runZero, Inc.
Timeline #
- 2026-03-17 (Tue): Initial findings discovered and documented
- 2026-04-20 (Mon): CVE IDs reserved
- 2026-04-20 (Mon): Initial outreach to the provider, ChaN (no response)
- 2026-04-27 (Mon): Outreach to JPCERT/CC for coordination help (TN: JPCERT#96 280429)
- 2026-04-28 (Tue): JPCERT/CC outreach to the provider in Japanese (no response after three attempts)
- 2026-05-14 (Wed): Outreach to a major downstream implementor upon JPCERT/CC recommendation (responded, but unwilling to receive full details)
- 2026-06-18 (Thu): Updated JPCERT/CC and downstream vendor with a date change to Jul 1 for disclosure
- 2026-07-01 (Wed): Public disclosure of CVE-2026-6682