CVE Record
[ HIGH ] CVE-2026-6682
FatFs FAT32 mount integer overflow leading to memory corruption
An integer overflow in FatFs's FAT32 mount path can be triggered by a crafted volume and lead to memory corruption and possible code execution on the parsing device. FatFs ships inside many embedded stacks (ESP-IDF, STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, TizenRT, SWUpdate). Disclosed by runZero on 2026-07-01; no upstream fix as of disclosure.
- Vendor
- ChaN / FatFs upstream
- Product
- FatFs (as shipped in downstream RTOS / firmware distributions)
- CVSS
- 7.6
- Status
- unpatched
- Published