Description
FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Published: 2026-07-01
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FatFs R0.16 and earlier contain a divide‑by‑zero bug in the exFAT sync routine when crafted metadata causes the expression n_fatent – 2 to evaluate to zero during write or sync operations. This flaw can trigger a failure in the file‑system synchronization process, potentially causing a crash or unwritable state of the exFAT volume. According to the CVSS v3.1 vector, the flaw has a medium severity (4.6) and results only in a loss of availability, with no impact on confidentiality or integrity.

Affected Systems

The affected vendor is ChaN, the FatFs firmware library. The bug is present in all releases up to and including R0.16. Any system that embeds FatFs R0.16 or earlier, particularly those mounting exFAT file systems on devices that can write data, is vulnerable.

Risk and Exploitability

The flaw requires at least physical access to craft the specific metadata or could be triggered remotely if a network‑delivered update media is used in some deployment pipelines, providing a potential remote vector. There is no known exploitation (EPSS score not available), and the vulnerability is not listed in the CISA KEV catalog. The mitigated attack surface is limited, but a successful exploit would lead to a denial of service with a crash or loss of writes during sync operations.

Generated by OpenCVE AI on July 1, 2026 at 21:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FatFs firmware to R0.17 or a later release that fixes the divide‑by‑zero bug.
  • If an update is not immediately available, restrain write and sync operations to exFAT volumes during critical periods or switch to an alternative file system format.
  • Implement monitoring of file‑system integrity and log any sync failures; require file‑system checks after each critical write operation.

Generated by OpenCVE AI on July 1, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Title FatFs Divide-by-Zero in exFAT Sync
Weaknesses CWE-369
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-07-01T15:24:56.449Z

Reserved: 2026-04-20T15:06:19.048Z

Link: CVE-2026-6683

cve-icon Vulnrichment

Updated: 2026-07-01T15:24:51.337Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T21:15:05Z

Weaknesses