Integer Underflow in FatFs Affects Multiple Versions by Elm-Chan
CVE-2026-6685
6.1MEDIUM
What is CVE-2026-6685?
The FatFs library versions prior to R0.16 are susceptible to an integer underflow vulnerability due to a flaw in the f_read() and f_write() functions. Specifically, during interleaved read and write operations on fragmented filesystems, the calculation 'fp->sect - sect < cc' may lead to unexpected behavior. Exploitation of this vulnerability can result in corrupted data and potential total technical impacts as a proof-of-concept has been established. Developers using FatFs are advised to upgrade to the latest version to mitigate this risk.
Affected Version(s)
FatFs 0
References
CVSS V3.1
Score:
6.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
HD Moore of runZero, Inc.
Tod Beardsley of runZero, Inc.
