CVE-2026-6683
Received
Received - Intake
Divide-by-Zero in FatFs exFAT Sync Logic
Vulnerability report for CVE-2026-6683, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-01
Last updated on: 2026-07-01
Assigner: 44488dab-36db-4358-99f9-bc116477f914
Description
Description
FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elm-chips | fatfs | 0.16 |
| chan | fatfs | to r0.17 (exc) |
| stmicroelectronics | middleware_fatfs | * |
| zephyr_project | zephyr_rtos | * |
| ardupilot | ardupilot | * |
| rt_thread | rt_thread | * |
| riot_os | riot_os | * |
| arm_limited | mbed | * |
| samsung | tizenrt | * |
| micropython | micropython | * |
| nanovna | nanovna | * |
| swupdate | swupdate | * |
| chan | fatfs | to r0.16 (exc) |
| zephyr_project | zephyr | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-369 | The product divides a value by zero. |