Impact
The flaw resides in the mount_volume() routine of FatFs R0.16 and earlier. An integer overflow occurs when the code multiplies the FAT size by the number of FAT copies, causing fasize to wrap around. This can lead to attacker-controlled file metadata and unsafe read lengths downstream, potentially allowing arbitrary memory reads or code execution. The CVSS vector indicates high severity (C:H, I:H, A:H).
Affected Systems
Embedded devices and other systems that incorporate the ChaN FatFs file-system library, especially those using version 0.16 or earlier. The library is widely deployed in microcontroller firmware, IoT gateways, and other low-end devices. Any system that loads a FAT32 volume or processes FAT32 file-system images with this version is affected.
Risk and Exploitability
The CVSS score of 7.6 classifies the vulnerability as high severity. EPSS data is unavailable, and the issue is not yet listed in the CISA KEV catalog. Attackers would need physical or local access to trigger the overflow, but the description notes that malicious update packages could deliver the payload in OTA/update pipelines. Thus, systems that receive unsigned or unauthenticated updates or that run unpatched FatFs binaries face a significant risk of exploitation.
OpenCVE Enrichment