Products
| Product | |
| 1 | FatFs |
CVE
CVE-2026-6685Executive summary #
CVE-2026-6685 affects ChaN's FatFs R0.16 and earlier. The issue is a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp->sect - sect < cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Identified downstream projects include Espressif IoT Development Framework, STMicroelectronics Middleware FatFS MCU, Zephyr RTOS, ArduPilot, RT-Thread, RIOT OS, Arm Limited Mbed, Damien P. George's MicroPython, and Terje Io's grblHAL.
Technical details #
The vulnerable guard appears in both read and write paths:
if ((fp->flag & FA_DIRTY) && fp->sect - sect < cc) {
memcpy(rbuff + ((fp->sect - sect) * SS(fs)), fp->buf, SS(fs));
}
When fp->sect < sect (the cached sector is numerically before the current read window, which occurs on fragmented volumes where cluster N+1 maps to a lower-numbered sector than cluster N), the subtraction wraps to a value near 2^32. The huge value may still satisfy < cc when cc is large, causing the memcpy to fire at an out-of-bounds offset and write stale cached data far outside rbuff.
This is especially relevant for long-lived devices whose FAT allocation becomes non-monotonic over time; attackers can also prepare intentionally fragmented media to drive the condition.
For more details, see https://github.com/runZeroInc/vulns-2026-fatfs-chance
Attacker value #
Attackers can induce silent data corruption in systems that rely on FAT for control files, logs, or machine instructions. In practical terms this can degrade integrity guarantees and cause unsafe behavior without obvious crash signatures.
Downstream impact is high where FAT is used for operational data, including Espressif IoT Development Framework and Zephyr RTOS deployments, RTOS data loggers, and CNC workflows using Terje Io grblHAL.
Credit #
Discovered by HD Moore, CVE coordination by Tod Beardsley, both of runZero, Inc.
Timeline #
- 2026-03-17 (Tue): Initial findings discovered and documented
- 2026-04-20 (Mon): CVE IDs reserved
- 2026-04-20 (Mon): Initial outreach to the provider, ChaN (no response)
- 2026-04-27 (Mon): Outreach to JPCERT/CC for coordination help (TN: JPCERT#96 280429)
- 2026-04-28 (Tue): JPCERT/CC outreach to the provider in Japanese (no response after three attempts)
- 2026-05-14 (Wed): Outreach to a major downstream implementor upon JPCERT/CC recommendation (responded, but unwilling to receive full details)
- 2026-06-18 (Thu): Updated JPCERT/CC and downstream vendor with a date change to Jul 1 for disclosure
- 2026-07-01 (Wed): Public disclosure of CVE-2026-6682