CVE-2026-6688
Received Received - Intake

Buffer Overflow in FatFs Due to LFN Handling

Vulnerability report for CVE-2026-6688, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: 44488dab-36db-4358-99f9-bc116477f914

Description

FatFs R0.16 and earlier contains a downstream-caller vulnerability pattern associated with FatFs long filename handling. With LFN enabled, fno.fname can be up to 255 characters; many callers copy it into short fixed buffers without bounds checks, causing overflow. This maps to CWE-120 (Buffer Copy without Checking Size of Input). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (7.6, High). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
elm-chan fatfs to r0.16 (exc)
chan fatfs 0.16

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-120 The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability in FatFs long filename handling can lead to buffer overflows that may result in crashes, control-flow corruption, or arbitrary code execution. Such security impacts (confidentiality, integrity, and availability) rated as high severity could potentially affect compliance with standards and regulations like GDPR or HIPAA, which require protection of sensitive data and system integrity.

However, the provided information does not explicitly discuss or link this vulnerability to specific compliance requirements or regulatory impacts.

Executive Summary

CVE-2026-6688 is a buffer overflow vulnerability related to the handling of long filenames (LFN) in ChaN's FatFs file system library. When LFN is enabled, the filename field can hold up to 255 characters, but many programs that use FatFs copy this filename into smaller fixed-size buffers without checking if the filename fits. This lack of bounds checking can cause buffer overflows.

This vulnerability is classified under CWE-120, which involves copying data into buffers without verifying the size, leading to potential memory corruption.

Attackers can exploit this by creating FAT media with specially crafted long filenames that overflow buffers in downstream software, potentially causing crashes, control-flow corruption, or even arbitrary code execution.

Impact Analysis

This vulnerability can lead to serious security impacts including crashes, corruption of program control flow, and arbitrary code execution on affected systems.

Because the vulnerability allows attackers to execute arbitrary code, it can be used to take control of devices or software that use FatFs with long filename support enabled.

The CVSS v3.1 score of 7.6 (High) reflects the significant confidentiality, integrity, and availability impacts possible from exploitation.

Affected products include various IoT devices and embedded systems such as Zephyr RTOS-based products, NodeMCU Firmware, Samsung TizenRT, and others, meaning users of these systems could be at risk.

Detection Guidance

This vulnerability arises from unsafe handling of long filenames (LFN) in FatFs, where the fno.fname field can be up to 255 characters but is copied into short fixed buffers without bounds checking. Detection involves identifying usage of vulnerable FatFs versions (R0.16 and earlier) and scanning for unsafe string operations such as strcpy, sprintf, or unchecked path appends that handle filenames.

On systems using FatFs, you can check for the presence of vulnerable versions and inspect code or binaries for calls to unsafe string functions that handle filenames. For example, searching source code for strcpy or sprintf usage with filename variables can help identify vulnerable code paths.

  • Use grep or similar tools to search source code: grep -rE '(strcpy|sprintf|strncpy|snprintf)' ./path/to/source | grep fname
  • Check FatFs version in your system to confirm if it is R0.16 or earlier.
  • Monitor logs or crash reports for stack or heap corruption symptoms triggered by long filenames.
Mitigation Strategies

Immediate mitigation steps include disabling long filename (LFN) support in FatFs if possible, to prevent processing of filenames longer than the short 8.3 format.

If disabling LFN is not feasible, audit and update all downstream callers to ensure proper bounds checking when copying or handling filenames, replacing unsafe functions like strcpy or sprintf with safer alternatives such as strncpy or snprintf.

Apply patches or updates from downstream projects or vendors that address this vulnerability once available.

Avoid mounting or processing FAT media with untrusted or crafted long filenames until the vulnerability is mitigated.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6688. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart