Vulnerability Details CVE-2026-6686
FatFs R0.16 and earlier contains an uninitialized cluster exposure when f_lseek() extends files beyond EOF without zero-filling newly allocated clusters. This maps to CWE-908 (Use of Uninitialized Resource). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (4.6, Medium). The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 7.4%
CVSS Severity
CVSS v3 Score 4.6
Products affected by CVE-2026-6686
-
cpe:2.3:a:elm-chan:fatfs:r0.07a
-
cpe:2.3:a:elm-chan:fatfs:r0.07c
-
cpe:2.3:a:elm-chan:fatfs:r0.07e
-
cpe:2.3:a:elm-chan:fatfs:r0.08
-
cpe:2.3:a:elm-chan:fatfs:r0.08a
-
cpe:2.3:a:elm-chan:fatfs:r0.08b
-
cpe:2.3:a:elm-chan:fatfs:r0.09
-
cpe:2.3:a:elm-chan:fatfs:r0.09a
-
cpe:2.3:a:elm-chan:fatfs:r0.09b
-
cpe:2.3:a:elm-chan:fatfs:r0.10
-
cpe:2.3:a:elm-chan:fatfs:r0.10a
-
cpe:2.3:a:elm-chan:fatfs:r0.10b
-
cpe:2.3:a:elm-chan:fatfs:r0.10c
-
cpe:2.3:a:elm-chan:fatfs:r0.11
-
cpe:2.3:a:elm-chan:fatfs:r0.11a
-
cpe:2.3:a:elm-chan:fatfs:r0.12
-
cpe:2.3:a:elm-chan:fatfs:r0.12a
-
cpe:2.3:a:elm-chan:fatfs:r0.12b
-
cpe:2.3:a:elm-chan:fatfs:r0.12c
-
cpe:2.3:a:elm-chan:fatfs:r0.13
-
cpe:2.3:a:elm-chan:fatfs:r0.13a
-
cpe:2.3:a:elm-chan:fatfs:r0.13b
-
cpe:2.3:a:elm-chan:fatfs:r0.13c
-
cpe:2.3:a:elm-chan:fatfs:r0.14
-
cpe:2.3:a:elm-chan:fatfs:r0.14a
-
cpe:2.3:a:elm-chan:fatfs:r0.14b
-
cpe:2.3:a:elm-chan:fatfs:r0.15
-
cpe:2.3:a:elm-chan:fatfs:r0.15a
-
cpe:2.3:a:elm-chan:fatfs:r0.15b
-
cpe:2.3:a:elm-chan:fatfs:r0.16