CVE-2026-6686
MediumCVSS 4.6Exploitation Probability (EPSS)
Low risk6th percentile — higher than 6% of all known CVEs
Summary
FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This can lead to data disclosure.
Risk Assessment
The risk involves potential leakage of sensitive data from uninitialized memory areas, which could compromise information confidentiality for the organization.
Recommendation
It is recommended to upgrade FatFs to a version later than R0.16 that includes a fix for this vulnerability, or manually zero-fill newly allocated clusters.
Original NVD description (English source)
FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.

