Impact
FatFs R0.16 and earlier contain a stack buffer overflow in the f_getlabel() routine, caused by trusting the exFAT label length without enforcing the specification’s maximums. The flaw can overwrite the stack frame, potentially allowing an attacker to alter return addresses or influence program flow, leading to execution of arbitrary code. The CVSS v3.1 score of 7.6 indicates a high severity impact on confidentiality, integrity, and availability. No other external inputs are required beyond a crafted exFAT label value.
Affected Systems
The affected product is ChaN:FatFs versions R0.16 and earlier. Systems that ship with or embed these FatFs releases—common in embedded devices, firmware, and lightweight operating systems—are potentially vulnerable. Versions 0.17 and later include the necessary bounds checks to mitigate the issue.
Risk and Exploitability
The CVSS vector indicates a physical local attack (AV:P) with low attack complexity, no privileges, and no user interaction. Exploitation would occur when an attacker can supply a device with a malicious exFAT label to a system that invokes f_getlabel(); the EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. The attack requires local or physical access to the device or an embedded system that mounts an exFAT volume. The potential for arbitrary code execution makes this flaw critical, especially in environments where fatfs is used for device storage or firmware updates.
OpenCVE Enrichment