Description
FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Published: 2026-07-01
Score: 4.6 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FatFs R0.16 and earlier allow the “f_lseek” operation to extend files beyond the existing end of file without zero‑filling newly allocated clusters. When a file grows beyond its previous maximum, the library allocates fresh storage sectors that retain whatever data happened to be in those sectors previously. The application can then read from the file and observe this residual data, thereby leaking the contents of earlier files or other sensitive information that once resided on the medium. This vulnerability is a classic case of CWE‑908 (Use of Uninitialized Resource) and impacts confidentiality only; there is no direct effect on integrity or availability.

Affected Systems

The flaw targets implementations of ChaN’s FatFs when operating in version R0.16 or earlier. Any embedded or firmware environment that embeds this filesystem library and uses “f_lseek” to grow files beyond the current end‑of‑file is susceptible. Typical affected contexts include automotive controllers, industrial control systems, consumer IoT devices, and other embedded boards that rely on FatFs for flash or SD card storage management.

Risk and Exploitability

The CVSS score of 4.6 indicates a medium risk. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited or no public exploitation to date. The attack surface is local: an adversary needs to influence the firmware or software that calls “f_lseek” on a file that can be written to and read from the storage medium. Proof‑of‑concept demonstrations exist and confirm that the flaw is exploitable with ordinary read/write privileges, but remote exploitation is not supported by the current description.

Generated by OpenCVE AI on July 2, 2026 at 05:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FatFs to release version 0.17 or later, which introduces zero‑filling for newly allocated clusters.
  • Rebuild or redeploy the firmware application using the updated FatFs library to ensure all file operations use the fixed implementation.
  • If an upgrade cannot be performed immediately, restrict operations that grow files beyond the existing end of file or explicitly zero out new storage regions (e.g., by writing a block of zero bytes) before any subsequent read activity.

Generated by OpenCVE AI on July 2, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Title FatFs Use of Uninitialized Clusters After Seek Past EOF
Weaknesses CWE-908
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-07-01T15:05:27.926Z

Reserved: 2026-04-20T15:06:22.242Z

Link: CVE-2026-6686

cve-icon Vulnrichment

Updated: 2026-07-01T15:05:15.476Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T05:30:17Z

Weaknesses
  • CWE-908

    Use of Uninitialized Resource