CVE-2026-6685
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
A vulnerability in FatFs R0.16 and earlier allows bypassing dirty-cache consistency checks via unsigned-subtraction wrap in f_read() and f_write() during interleaved read/write operations on fragmented filesystems.
Risk Assessment
An attacker with physical access can cause data corruption on the storage medium (e.g., SD card, USB drive) or complete loss of filesystem integrity, potentially leading to device failure or loss of critical information.
Recommendation
Update the FatFs library to a version newer than R0.16 if available. If no patch is available, restrict physical access to devices using this library and avoid interleaved read/write operations on fragmented filesystems.
Original NVD description (English source)
FatFs R0.16 and earlier exhibits a stale dirty-cache skip via unsigned-subtraction wrap in f_read() / f_write() (fp->sect - sect < cc) during interleaved read/write on fragmented filesystems. This maps to CWE-191 (Integer Underflow). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (6.1, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Total.

