Uninitialized Resource Exposure in FatFs by Chan
CVE-2026-6686
4.6MEDIUM
What is CVE-2026-6686?
FatFs versions R0.16 and earlier have a vulnerability where newly allocated clusters are not zero-filled when extending files beyond EOF using the f_lseek() function. This oversight can lead to exposure of uninitialized data, posing a risk of data leakage and potential exploitation. The vulnerability aligns with CWE-908, indicating improper handling of uninitialized resources, with instances of it reported under specific exploitation conditions and potential technical impacts.
Affected Version(s)
FatFs 0
References
CVSS V3.1
Score:
4.6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
HD Moore of runZero, Inc.
Tod Beardsley of runZero, Inc.
