Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
14 vulnerabilities by elm-chan
CVE-2026-6688 (GCVE-0-2026-6688)
Vulnerability from nvd – Published: 2026-07-01 14:01 – Updated: 2026-07-01 15:06
VLAI
Title
FatFs Buffer Overflow via Unbounded LFN Filename Copy
Summary
FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
7.6 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-120 - Buffer Copy without Checking Size of Input
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-long-fn-… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6688",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:06:55.618764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:06:59.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:01:44.487Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-long-fn-of-downstream-cve-2026-6688/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Buffer Overflow via Unbounded LFN Filename Copy",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6688",
"datePublished": "2026-07-01T14:01:04.915Z",
"dateReserved": "2026-04-20T15:06:24.308Z",
"dateUpdated": "2026-07-01T15:06:59.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6687 (GCVE-0-2026-6687)
Vulnerability from nvd – Published: 2026-07-01 13:57 – Updated: 2026-07-01 15:06
VLAI
Title
FatFs Stack Buffer Overflow via Uncapped exFAT Label Length
Summary
FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
7.6 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-exfat-la… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6687",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:06:20.995228Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:06:24.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:10:29.724Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-exfat-label-len-of-cve-2026-6687/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Stack Buffer Overflow via Uncapped exFAT Label Length",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6687",
"datePublished": "2026-07-01T13:57:54.242Z",
"dateReserved": "2026-04-20T15:06:23.356Z",
"dateUpdated": "2026-07-01T15:06:24.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6686 (GCVE-0-2026-6686)
Vulnerability from nvd – Published: 2026-07-01 13:55 – Updated: 2026-07-01 15:05
VLAI
Title
FatFs Use of Uninitialized Clusters After Seek Past EOF
Summary
FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Severity
4.6 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-908 - Use of uninitialized resource
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-uninit-c… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6686",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:05:23.138301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:05:27.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"value": "FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of uninitialized resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:55:09.072Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-uninit-cluster-exposure-cve-2026-6686/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Use of Uninitialized Clusters After Seek Past EOF",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6686",
"datePublished": "2026-07-01T13:55:09.072Z",
"dateReserved": "2026-04-20T15:06:22.242Z",
"dateUpdated": "2026-07-01T15:05:27.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6685 (GCVE-0-2026-6685)
Vulnerability from nvd – Published: 2026-07-01 13:47 – Updated: 2026-07-01 15:26
VLAI
Title
FatFs Integer Underflow in Dirty-Sector Cache Flush
Summary
FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp->sect - sect < cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-191 - Integer underflow (wrap or wraparound)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-unsigned… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6685",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:26:17.001634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:26:37.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp-\u0026gt;sect - sect \u0026lt; cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp-\u003esect - sect \u003c cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer underflow (wrap or wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:10:51.392Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-unsigned-sub-wrap-cve-2026-6685/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Integer Underflow in Dirty-Sector Cache Flush",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6685",
"datePublished": "2026-07-01T13:47:25.764Z",
"dateReserved": "2026-04-20T15:06:21.250Z",
"dateUpdated": "2026-07-01T15:26:37.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6684 (GCVE-0-2026-6684)
Vulnerability from nvd – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:25
VLAI
Title
FatFs Infinite Loop in GPT Partition Scan
Summary
FatFs prior to R0.16 that use GPT scanning with 'FF_LBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Severity
4.6 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-835 - Loop with unreachable exit condition ('infinite loop')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-gpt-scan… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6684",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:25:35.369745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:25:53.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThan": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eFatFs prior to R0.16 that use GPT scanning with \u0027FF_LBA64 = 1\u0027 contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "FatFs prior to R0.16 that use GPT scanning with \u0027FF_LBA64 = 1\u0027 contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with unreachable exit condition (\u0027infinite loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:10:58.544Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-gpt-scan-loop-dos-cve-2026-6684/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Infinite Loop in GPT Partition Scan",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6684",
"datePublished": "2026-07-01T13:45:03.639Z",
"dateReserved": "2026-04-20T15:06:20.061Z",
"dateUpdated": "2026-07-01T15:25:53.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6683 (GCVE-0-2026-6683)
Vulnerability from nvd – Published: 2026-07-01 13:41 – Updated: 2026-07-01 15:24
VLAI
Title
FatFs Divide-by-Zero in exFAT Sync
Summary
FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Severity
4.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-369 - Divide by zero
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-exfat-di… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:24:38.147110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:24:56.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"value": "FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-369",
"description": "CWE-369 Divide by zero",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:11:06.688Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-exfat-divide-by-zero-cve-2026-6683"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Divide-by-Zero in exFAT Sync",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6683",
"datePublished": "2026-07-01T13:41:11.337Z",
"dateReserved": "2026-04-20T15:06:19.048Z",
"dateUpdated": "2026-07-01T15:24:56.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6682 (GCVE-0-2026-6682)
Vulnerability from nvd – Published: 2026-07-01 13:36 – Updated: 2026-07-01 15:24
VLAI
Title
FatFs Integer Overflow in FAT32 Volume Mount
Summary
In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
7.6 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer overflow or wraparound
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-fat32-in… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6682",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:23:46.354718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:24:05.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs-\u0026gt;n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs-\u003en_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer overflow or wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:11:14.785Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-fat32-int-of-mnt-cve-2026-6682/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Integer Overflow in FAT32 Volume Mount",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6682",
"datePublished": "2026-07-01T13:36:59.935Z",
"dateReserved": "2026-04-20T15:06:18.243Z",
"dateUpdated": "2026-07-01T15:24:05.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6688 (GCVE-0-2026-6688)
Vulnerability from cvelistv5 – Published: 2026-07-01 14:01 – Updated: 2026-07-01 15:06
VLAI
Title
FatFs Buffer Overflow via Unbounded LFN Filename Copy
Summary
FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
7.6 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-120 - Buffer Copy without Checking Size of Input
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-long-fn-… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6688",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:06:55.618764Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:06:59.026Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-120",
"description": "CWE-120 Buffer Copy without Checking Size of Input",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:01:44.487Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-long-fn-of-downstream-cve-2026-6688/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Buffer Overflow via Unbounded LFN Filename Copy",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6688",
"datePublished": "2026-07-01T14:01:04.915Z",
"dateReserved": "2026-04-20T15:06:24.308Z",
"dateUpdated": "2026-07-01T15:06:59.026Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6687 (GCVE-0-2026-6687)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:57 – Updated: 2026-07-01 15:06
VLAI
Title
FatFs Stack Buffer Overflow via Uncapped exFAT Label Length
Summary
FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
7.6 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-121 - Stack-based buffer overflow
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-exfat-la… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6687",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:06:20.995228Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:06:24.705Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "CWE-121 Stack-based buffer overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:10:29.724Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-exfat-label-len-of-cve-2026-6687/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Stack Buffer Overflow via Uncapped exFAT Label Length",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6687",
"datePublished": "2026-07-01T13:57:54.242Z",
"dateReserved": "2026-04-20T15:06:23.356Z",
"dateUpdated": "2026-07-01T15:06:24.705Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6686 (GCVE-0-2026-6686)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:55 – Updated: 2026-07-01 15:05
VLAI
Title
FatFs Use of Uninitialized Clusters After Seek Past EOF
Summary
FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Severity
4.6 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-908 - Use of uninitialized resource
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-uninit-c… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6686",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:05:23.138301Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:05:27.926Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"value": "FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-908",
"description": "CWE-908 Use of uninitialized resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T13:55:09.072Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-uninit-cluster-exposure-cve-2026-6686/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Use of Uninitialized Clusters After Seek Past EOF",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6686",
"datePublished": "2026-07-01T13:55:09.072Z",
"dateReserved": "2026-04-20T15:06:22.242Z",
"dateUpdated": "2026-07-01T15:05:27.926Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6685 (GCVE-0-2026-6685)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:47 – Updated: 2026-07-01 15:26
VLAI
Title
FatFs Integer Underflow in Dirty-Sector Cache Flush
Summary
FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp->sect - sect < cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-191 - Integer underflow (wrap or wraparound)
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-unsigned… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6685",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:26:17.001634Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:26:37.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp-\u0026gt;sect - sect \u0026lt; cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp-\u003esect - sect \u003c cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-191",
"description": "CWE-191 Integer underflow (wrap or wraparound)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:10:51.392Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-unsigned-sub-wrap-cve-2026-6685/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Integer Underflow in Dirty-Sector Cache Flush",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6685",
"datePublished": "2026-07-01T13:47:25.764Z",
"dateReserved": "2026-04-20T15:06:21.250Z",
"dateUpdated": "2026-07-01T15:26:37.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6684 (GCVE-0-2026-6684)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:45 – Updated: 2026-07-01 15:25
VLAI
Title
FatFs Infinite Loop in GPT Partition Scan
Summary
FatFs prior to R0.16 that use GPT scanning with 'FF_LBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Severity
4.6 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-835 - Loop with unreachable exit condition ('infinite loop')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-gpt-scan… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6684",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:25:35.369745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:25:53.071Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThan": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eFatFs prior to R0.16 that use GPT scanning with \u0027FF_LBA64 = 1\u0027 contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.\u003cbr\u003e\u003cbr\u003e\u003c/p\u003e"
}
],
"value": "FatFs prior to R0.16 that use GPT scanning with \u0027FF_LBA64 = 1\u0027 contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-835",
"description": "CWE-835 Loop with unreachable exit condition (\u0027infinite loop\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:10:58.544Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-gpt-scan-loop-dos-cve-2026-6684/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Infinite Loop in GPT Partition Scan",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6684",
"datePublished": "2026-07-01T13:45:03.639Z",
"dateReserved": "2026-04-20T15:06:20.061Z",
"dateUpdated": "2026-07-01T15:25:53.071Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6683 (GCVE-0-2026-6683)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:41 – Updated: 2026-07-01 15:24
VLAI
Title
FatFs Divide-by-Zero in exFAT Sync
Summary
FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Severity
4.6 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-369 - Divide by zero
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-exfat-di… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6683",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:24:38.147110Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:24:56.449Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"value": "FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-369",
"description": "CWE-369 Divide by zero",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:11:06.688Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-exfat-divide-by-zero-cve-2026-6683"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Divide-by-Zero in exFAT Sync",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6683",
"datePublished": "2026-07-01T13:41:11.337Z",
"dateReserved": "2026-04-20T15:06:19.048Z",
"dateUpdated": "2026-07-01T15:24:56.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6682 (GCVE-0-2026-6682)
Vulnerability from cvelistv5 – Published: 2026-07-01 13:36 – Updated: 2026-07-01 15:24
VLAI
Title
FatFs Integer Overflow in FAT32 Volume Mount
Summary
In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Severity
7.6 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-190 - Integer overflow or wraparound
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.runzero.com/blog/fatfs-bugs/ | third-party-advisory |
| https://github.com/runZeroInc/vulns-2026-fatfs-chance | technical-description |
| https://elm-chan.org/fsw/ff/ | product |
| https://www.runzero.com/advisories/fatfs-fat32-in… | third-party-advisory |
Date Public
2026-07-01 13:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6682",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-01T15:23:46.354718Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T15:24:05.860Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "FatFs",
"vendor": "ChaN",
"versions": [
{
"lessThanOrEqual": "R0.16",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "HD Moore of runZero, Inc."
},
{
"lang": "en",
"type": "coordinator",
"value": "Tod Beardsley of runZero, Inc."
}
],
"datePublic": "2026-07-01T13:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs-\u0026gt;n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"value": "In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs-\u003en_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "PHYSICAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-190",
"description": "CWE-190 Integer overflow or wraparound",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-01T14:11:14.785Z",
"orgId": "44488dab-36db-4358-99f9-bc116477f914",
"shortName": "runZero"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/blog/fatfs-bugs/"
},
{
"tags": [
"technical-description"
],
"url": "https://github.com/runZeroInc/vulns-2026-fatfs-chance"
},
{
"tags": [
"product"
],
"url": "https://elm-chan.org/fsw/ff/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.runzero.com/advisories/fatfs-fat32-int-of-mnt-cve-2026-6682/"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "FatFs Integer Overflow in FAT32 Volume Mount",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "44488dab-36db-4358-99f9-bc116477f914",
"assignerShortName": "runZero",
"cveId": "CVE-2026-6682",
"datePublished": "2026-07-01T13:36:59.935Z",
"dateReserved": "2026-04-20T15:06:18.243Z",
"dateUpdated": "2026-07-01T15:24:05.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}