CVE Catalog

CVE-2026-6686

MediumCVSS 4.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.16%

6th percentile — higher than 6% of all known CVEs

Summary

FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This can lead to data disclosure.

Risk Assessment

The risk involves potential leakage of sensitive data from uninitialized memory areas, which could compromise information confidentiality for the organization.

Recommendation

It is recommended to upgrade FatFs to a version later than R0.16 that includes a fix for this vulnerability, or manually zero-fill newly allocated clusters.

Original NVD description (English source)

FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS