Description
FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Published: 2026-07-01
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FatFs R0.16 and earlier contain a stack buffer overflow in the f_getlabel() routine, caused by trusting the exFAT label length without enforcing the specification’s maximums. The flaw can overwrite the stack frame, potentially allowing an attacker to alter return addresses or influence program flow, leading to execution of arbitrary code. The CVSS v3.1 score of 7.6 indicates a high severity impact on confidentiality, integrity, and availability. No other external inputs are required beyond a crafted exFAT label value.

Affected Systems

The affected product is ChaN:FatFs versions R0.16 and earlier. Systems that ship with or embed these FatFs releases—common in embedded devices, firmware, and lightweight operating systems—are potentially vulnerable. Versions 0.17 and later include the necessary bounds checks to mitigate the issue.

Risk and Exploitability

The CVSS vector indicates a physical local attack (AV:P) with low attack complexity, no privileges, and no user interaction. Exploitation would occur when an attacker can supply a device with a malicious exFAT label to a system that invokes f_getlabel(); the EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires local or physical access to the device or an embedded system that mounts an exFAT volume. The potential for arbitrary code execution makes this flaw critical, especially in environments where fatfs is used for device storage or firmware updates.

Generated by OpenCVE AI on July 2, 2026 at 05:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FatFs to version 0.17 or later to incorporate the enforced label length checks.
  • If an upgrade is not possible, modify the source to validate XDIR_NumLabel against the exFAT specification before copying into the buffer, or implement bounds checking around the f_getlabel() operation.
  • As a temporary measure, disable or remove exFAT support in the build, or ensure that any exposed f_getlabel() calls are exposed only to trusted code paths and inputs.

Generated by OpenCVE AI on July 2, 2026 at 05:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.
Title FatFs Stack Buffer Overflow via Uncapped exFAT Label Length
Weaknesses CWE-121
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: runZero

Published:

Updated: 2026-07-01T15:06:24.705Z

Reserved: 2026-04-20T15:06:23.356Z

Link: CVE-2026-6687

cve-icon Vulnrichment

Updated: 2026-07-01T15:06:16.964Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T05:30:17Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow