CVE-2026-6683: CWE-369 Divide by zero in ChaN FatFs
FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
AI Analysis
Technical Summary
CVE-2026-6683 is a divide-by-zero vulnerability (CWE-369) in the FatFs filesystem library, specifically in versions R0.16 and earlier. The flaw arises in the exFAT synchronization logic when crafted metadata causes the expression n_fatent - 2 to evaluate to zero during write or sync operations. This results in a divide-by-zero error, causing a denial of service condition. The vulnerability can be remotely triggered in certain environments where update media is delivered over a network. The CVSS v3.1 base score is 4.6 (medium), with attack vector being physical or adjacent network (AV:P), low attack complexity, no privileges required, no user interaction, and impact limited to availability. There is no known exploit in the wild and no official remediation or patch has been published as of now.
Potential Impact
Successful exploitation causes a denial of service due to a divide-by-zero error during exFAT write or sync operations. There is no confidentiality, integrity, or information disclosure impact. The vulnerability can be triggered remotely in some deployment scenarios involving network-delivered update media, potentially causing system or application crashes.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid using untrusted or crafted exFAT metadata on affected FatFs versions. Monitor vendor channels for updates or patches addressing this issue.
CVE-2026-6683: CWE-369 Divide by zero in ChaN FatFs
Description
FatFs R0.16 and earlier contains a divide-by-zero in exFAT sync logic bug when crafted metadata causes n_fatent - 2 to be zero during write/sync operations. This maps to CWE-369 (Divide By Zero). Estimated CVSS v3.1 vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (4.6, Medium). Network-delivered update media can make this remote in some pipelines. The estimated CISA SSVC vectors are Exploitation: PoC, Technical Impact: Partial.
CVSS v3.1
Score 4.6medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-6683 is a divide-by-zero vulnerability (CWE-369) in the FatFs filesystem library, specifically in versions R0.16 and earlier. The flaw arises in the exFAT synchronization logic when crafted metadata causes the expression n_fatent - 2 to evaluate to zero during write or sync operations. This results in a divide-by-zero error, causing a denial of service condition. The vulnerability can be remotely triggered in certain environments where update media is delivered over a network. The CVSS v3.1 base score is 4.6 (medium), with attack vector being physical or adjacent network (AV:P), low attack complexity, no privileges required, no user interaction, and impact limited to availability. There is no known exploit in the wild and no official remediation or patch has been published as of now.
Potential Impact
Successful exploitation causes a denial of service due to a divide-by-zero error during exFAT write or sync operations. There is no confidentiality, integrity, or information disclosure impact. The vulnerability can be triggered remotely in some deployment scenarios involving network-delivered update media, potentially causing system or application crashes.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, avoid using untrusted or crafted exFAT metadata on affected FatFs versions. Monitor vendor channels for updates or patches addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- runZero
- Date Reserved
- 2026-04-20T15:06:19.048Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a45260c27e9c79719982ac1
Added to database: 07/01/2026, 14:37:00 UTC
Last enriched: 07/01/2026, 14:53:38 UTC
Last updated: 07/01/2026, 21:31:26 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.