Impact
FatFs R0.16 and earlier allow the “f_lseek” operation to extend files beyond the existing end of file without zero‑filling newly allocated clusters. When a file grows beyond its previous maximum, the library allocates fresh storage sectors that retain whatever data happened to be in those sectors previously. The application can then read from the file and observe this residual data, thereby leaking the contents of earlier files or other sensitive information that once resided on the medium. This vulnerability is a classic case of CWE‑908 (Use of Uninitialized Resource) and impacts confidentiality only; there is no direct effect on integrity or availability.
Affected Systems
The flaw targets implementations of ChaN’s FatFs when operating in version R0.16 or earlier. Any embedded or firmware environment that embeds this filesystem library and uses “f_lseek” to grow files beyond the current end‑of‑file is susceptible. Typical affected contexts include automotive controllers, industrial control systems, consumer IoT devices, and other embedded boards that rely on FatFs for flash or SD card storage management.
Risk and Exploitability
The CVSS score of 4.6 indicates a medium risk. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited or no public exploitation to date. The attack surface is local: an adversary needs to influence the firmware or software that calls “f_lseek” on a file that can be written to and read from the storage medium. Proof‑of‑concept demonstrations exist and confirm that the flaw is exploitable with ordinary read/write privileges, but remote exploitation is not supported by the current description.
OpenCVE Enrichment