CVE-2026-6687
Received Received - Intake

Stack Overflow in FatFs File System

Vulnerability report for CVE-2026-6687, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: 44488dab-36db-4358-99f9-bc116477f914

Description

FatFs R0.16 and earlier contains a stack overflow bug in f_getlabel() because exFAT label length (XDIR_NumLabel) is trusted without enforcing spec maximums. This maps to CWE-121 (Stack-based Buffer Overflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
elm-chan fatfs to 0.16 (exc)
chan fatfs to r0.17 (exc)
chan fatfs *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided context and resources do not contain information regarding how CVE-2026-6687 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-6687 is a stack overflow vulnerability in the FatFs exFAT library affecting versions R0.16 and earlier. The issue occurs in the f_getlabel() function due to improper handling of the exFAT label length (XDIR_NumLabel), which can be set to values far exceeding the expected maximum of 11 characters.

This leads to a stack-based buffer overflow when copying label data into fixed-size buffers such as char label[12] or char label[24]. The vulnerability is classified under CWE-121 (Stack-based Buffer Overflow) and has a high severity rating with a CVSS v3.1 score of 7.6.

Attackers can exploit this by crafting malicious exFAT media that triggers memory corruption when the label is read, potentially allowing code execution on bare-metal systems that lack modern mitigations.

Impact Analysis

This vulnerability can lead to memory corruption through a stack-based buffer overflow, which may allow an attacker to execute arbitrary code on affected systems.

Systems using vulnerable versions of FatFs that process attacker-controlled exFAT media are at risk, especially bare-metal systems without modern security mitigations.

The impact includes potential total compromise of confidentiality, integrity, and availability, as indicated by the CVSS vector (C:H/I:H/A:H).

Detection Guidance

This vulnerability occurs in the FatFs exFAT library versions R0.16 and earlier, specifically in the f_getlabel() function when processing exFAT media with maliciously crafted labels exceeding the expected maximum length.

Detection involves identifying systems or devices using vulnerable FatFs versions and monitoring for attempts to read exFAT media with abnormally long volume labels that could trigger the stack overflow.

Since the vulnerability is triggered by reading exFAT media, one practical approach is to check the version of FatFs in use on your embedded or bare-metal systems.

There are no specific commands provided in the resources to detect exploitation attempts or scan for vulnerable systems.

Mitigation Strategies

Immediate mitigation involves preventing the processing of attacker-controlled exFAT media with maliciously crafted labels on systems using FatFs R0.16 or earlier.

If possible, update or patch the FatFs library to a version that enforces the exFAT label length specification and prevents stack overflow.

If updates are not available, consider implementing input validation or sanitization on exFAT label lengths before calling f_getlabel(), or restrict usage of removable media from untrusted sources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6687. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart