CVE Catalog

CVE-2026-6688

HighCVSS 7.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

9th percentile — higher than 9% of all known CVEs

Summary

A vulnerability in FatFs R0.16 and earlier affects long filename (LFN) handling. The function copies filenames (up to 255 characters) into short fixed buffers without bounds checking, causing buffer overflow.

Risk Assessment

An attacker with physical access to the system can exploit this vulnerability to gain control over the device, potentially leading to total compromise of data and system.

Recommendation

Update FatFs to a version newer than R0.16 that includes fixes for this issue. Also review application code using FatFs for safe filename copying.

Original NVD description (English source)

FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS