Buffer Overflow Vulnerability in FatFs by Elm-Chan
CVE-2026-6688

7.6HIGH

Key Information:

Vendor

Chan

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-6688?

FatFs versions R0.16 and earlier contain a critical vulnerability in the handling of long filenames, where the fno.fname can reach up to 255 characters. This allows for potential buffer overflow due to callers copying the filenames into fixed-size buffers without proper bounds checking, leading to serious security implications. This vulnerability is categorized under CWE-120, indicating a flaw in input size verification during buffer copying.

Affected Version(s)

FatFs 0

References

CVSS V3.1

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

HD Moore of runZero, Inc.
Tod Beardsley of runZero, Inc.
.