Integer Underflow in FatFs Affects Multiple Versions by Elm-Chan
CVE-2026-6685

6.1MEDIUM

Key Information:

Vendor

Chan

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-6685?

The FatFs library versions prior to R0.16 are susceptible to an integer underflow vulnerability due to a flaw in the f_read() and f_write() functions. Specifically, during interleaved read and write operations on fragmented filesystems, the calculation 'fp->sect - sect < cc' may lead to unexpected behavior. Exploitation of this vulnerability can result in corrupted data and potential total technical impacts as a proof-of-concept has been established. Developers using FatFs are advised to upgrade to the latest version to mitigate this risk.

Affected Version(s)

FatFs 0

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

HD Moore of runZero, Inc.
Tod Beardsley of runZero, Inc.
.