Impact
FatFs R0.16 and earlier contain a divide‑by‑zero bug in the exFAT sync routine when crafted metadata causes the expression n_fatent – 2 to evaluate to zero during write or sync operations. This flaw can trigger a failure in the file‑system synchronization process, potentially causing a crash or unwritable state of the exFAT volume. According to the CVSS v3.1 vector, the flaw has a medium severity (4.6) and results only in a loss of availability, with no impact on confidentiality or integrity.
Affected Systems
The affected vendor is ChaN, the FatFs firmware library. The bug is present in all releases up to and including R0.16. Any system that embeds FatFs R0.16 or earlier, particularly those mounting exFAT file systems on devices that can write data, is vulnerable.
Risk and Exploitability
The flaw requires at least physical access to craft the specific metadata or could be triggered remotely if a network‑delivered update media is used in some deployment pipelines, providing a potential remote vector. There is no known exploitation (EPSS score not available), and the vulnerability is not listed in the CISA KEV catalog. The mitigated attack surface is limited, but a successful exploit would lead to a denial of service with a crash or loss of writes during sync operations.
OpenCVE Enrichment