Description
In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Published: 2026-07-01
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the mount_volume() routine of FatFs R0.16 and earlier. An integer overflow occurs when the code multiplies the FAT size by the number of FAT copies, causing fasize to wrap around. This can lead to attacker-controlled file metadata and unsafe read lengths downstream, potentially allowing arbitrary memory reads or code execution. The CVSS vector indicates high severity (C:H, I:H, A:H).

Affected Systems

Embedded devices and other systems that incorporate the ChaN FatFs file-system library, especially those using version 0.16 or earlier. The library is widely deployed in microcontroller firmware, IoT gateways, and other low-end devices. Any system that loads a FAT32 volume or processes FAT32 file-system images with this version is affected.

Risk and Exploitability

The CVSS score of 7.6 classifies the vulnerability as high severity. EPSS data is unavailable, and the issue is not yet listed in the CISA KEV catalog. Attackers would need physical or local access to trigger the overflow, but the description notes that malicious update packages could deliver the payload in OTA/update pipelines. Thus, systems that receive unsigned or unauthenticated updates or that run unpatched FatFs binaries face a significant risk of exploitation.

Generated by OpenCVE AI on July 1, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FatFs to version 0.17 or later, which fixes the multiprecision overflow bug.
  • If upgrading is not feasible, implement bounds checking on fasize and validate file-size metadata before any read operation.
  • Review and harden the OTA/update pipeline to enforce cryptographic signatures and integrity verification for firmware and file-system images.

Generated by OpenCVE AI on July 1, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description In FatFS R0.16 and earlier contains a FAT32 integer overflow bug in mount_volume() where fasize *= fs->n_fats can wrap, leading to attacker-controlled file-size metadata and unsafe read lengths in downstream callers. This maps to CWE-190 (Integer Overflow or Wraparound). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). Remote delivery is also possible in OTA/update pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Title FatFs Integer Overflow in FAT32 Volume Mount
Weaknesses CWE-190
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-07-01T15:24:05.860Z

Reserved: 2026-04-20T15:06:18.243Z

Link: CVE-2026-6682

cve-icon Vulnrichment

Updated: 2026-07-01T15:23:59.950Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T21:15:05Z

Weaknesses
  • CWE-190

    Integer Overflow or Wraparound