Uninitialized Resource Exposure in FatFs by Chan
CVE-2026-6686

4.6MEDIUM

Key Information:

Vendor

Chan

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-6686?

FatFs versions R0.16 and earlier have a vulnerability where newly allocated clusters are not zero-filled when extending files beyond EOF using the f_lseek() function. This oversight can lead to exposure of uninitialized data, posing a risk of data leakage and potential exploitation. The vulnerability aligns with CWE-908, indicating improper handling of uninitialized resources, with instances of it reported under specific exploitation conditions and potential technical impacts.

Affected Version(s)

FatFs 0

References

CVSS V3.1

Score:
4.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

HD Moore of runZero, Inc.
Tod Beardsley of runZero, Inc.
.