CVE-2026-6683
Received Received - Intake

Divide-by-Zero in FatFs exFAT Sync Logic

Vulnerability report for CVE-2026-6683, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: 44488dab-36db-4358-99f9-bc116477f914

Description

FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 14 associated CPEs
Vendor Product Version / Range
elm-chips fatfs 0.16
chan fatfs to r0.17 (exc)
stmicroelectronics middleware_fatfs *
zephyr_project zephyr_rtos *
ardupilot ardupilot *
rt_thread rt_thread *
riot_os riot_os *
arm_limited mbed *
samsung tizenrt *
micropython micropython *
nanovna nanovna *
swupdate swupdate *
chan fatfs to r0.16 (exc)
zephyr_project zephyr *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-369 The product divides a value by zero.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-6683 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-6683 is a divide-by-zero vulnerability in ChaN's FatFs exFAT implementation, affecting versions R0.16 and earlier.

The flaw occurs in the exFAT sync and write paths when specially crafted metadata causes the divisor (n_fatent - 2) to become zero, leading to a crash during write, sync, or close operations.

This vulnerability maps to CWE-369 (Divide By Zero) and can cause denial of service by crashing the system handling the exFAT media.

Impact Analysis

This vulnerability can cause denial of service by crashing embedded systems or devices that use the vulnerable FatFs exFAT implementation.

It can potentially brick embedded systems or cause persistent operational failures, especially in over-the-air (OTA) update workflows or any system processing untrusted exFAT media.

The vulnerability can be triggered remotely in some update pipelines, increasing the risk of exploitation.

Detection Guidance

This vulnerability manifests as a divide-by-zero error during exFAT write, sync, or close operations when handling crafted metadata. Detection involves monitoring for crashes or denial of service events related to FatFs exFAT operations, especially during media write or sync processes.

Since the vulnerability triggers a crash when n_fatent - 2 equals zero, you can detect it by observing system logs or error messages indicating divide-by-zero faults or abnormal termination of processes handling exFAT media.

No specific detection commands are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include avoiding the use of untrusted or crafted exFAT media that could trigger the divide-by-zero condition during write or sync operations.

Since the vulnerability can be triggered remotely in some update pipelines, it is advisable to review and restrict update sources and media to trusted origins only.

Applying patches or updates from affected downstream projects or vendors once available is recommended to fully remediate the issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6683. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart