Description
FatFs prior to R0.16 that use GPT scanning with 'FF_LBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Published: 2026-07-01
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FatFs versions earlier than R0.16 that enable GPT partition scanning when the FF_LBA64 flag is set to 1 contain an unbounded loop. During a mount operation the library reads the GPT header field GPTH_PtNum and uses that value as a counter for the scanning loop. If GPTH_PtNum is extremely large or corrupted the loop condition never becomes false, allowing the mount process to spin indefinitely and effectively freeze the file system. The flaw provides no compromise of confidentiality or integrity; the consequence is a denial of service that disables the availability of the file system and any services that depend on it.

Affected Systems

Embedded devices or firmware that incorporate the ChaN FatFs library compiled with FF_LBA64 support prior to release R0.16 are vulnerable. This includes a broad range of IoT hardware, automotive infotainment controllers, and other firmware that relies on FatFs to handle removable storage. Any system that mounts storage devices containing GPT partition tables while using a pre‑0.16 FatFs build would be susceptible.

Risk and Exploitability

The CVSS v3.1 score of 4.6 classifies the weakness as Medium severity, with a High availability impact. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no confirmed exploitation. Based on the description, the likely attack vector is an attacker able to provide a storage device with a crafted GPT header. This could be done locally by plugging in a malicious USB device or remotely if the system mounts network‑shared disks. The exploit requires minimal effort once such a device is accessible, but the impact is limited to a temporary denial of service until the system is rebooted or the mount operation is interrupted.

Generated by OpenCVE AI on July 1, 2026 at 21:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FatFs to version R0.16 or later to remove the unbounded loop.
  • Disable GPT scanning by setting FF_LBA64=0 in the library configuration or avoid using GPT tables in builds that cannot be updated immediately.
  • Implement a watchdog timer or automated reboot mechanism to recover from a hung mount operation.
  • Restrict exposure to untrusted storage devices and validate GPT header values before mounting to ensure partition counts are within realistic limits.

Generated by OpenCVE AI on July 1, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description FatFs prior to R0.16 that use GPT scanning with 'FF_LBA64 = 1' contains an issue where an unbounded loop count derived from GPT header field GPTH_PtNum, enabling extremely long or effectively infinite mount-time scans. This maps to CWE-835 (Loop with Unreachable Exit Condition). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Title FatFs Infinite Loop in GPT Partition Scan
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-07-01T15:25:53.071Z

Reserved: 2026-04-20T15:06:20.061Z

Link: CVE-2026-6684

cve-icon Vulnrichment

Updated: 2026-07-01T15:25:49.136Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T21:15:05Z

Weaknesses
  • CWE-835

    Loop with Unreachable Exit Condition ('Infinite Loop')