mirror of
https://github.com/espressif/esp-idf.git
synced 2026-07-16 16:03:08 +03:00
The initial CVE-2026-6682 fix (merged in !50362) hardened the exFAT mount path, but the CVE as reported by runZero is a FAT32 defect in mount_volume() and is reachable in ESP-IDF's default configuration (exFAT and 64-bit LBA disabled). This corrects the fix. Root cause: `fasize *= fs->n_fats` is a DWORD multiply with no overflow guard. A crafted BPB_FATSz32 such as 0x80000001 with NumFATs=2 wraps `fasize` to 0x00000002. The wrapped (too-small) FAT size then places `fs->database` inside the FAT region, so a forged directory entry in the overlapping sector yields an attacker-controlled `finfo.fsize`. Any caller that uses that size as a read length overflows its buffer with attacker-controlled bytes (CVSS 7.6, path to RCE). The later `fs->fsize < szbfat` check does not catch this because it compares the un-doubled single-FAT size, which is still large. Fix: reject a per-FAT size that overflows DWORD when multiplied by the FAT count, and reject a reserved+FAT+root system-area size that overflows DWORD, before either value is used to derive the data-area base. The previous exFAT cluster-heap/bitmap 64-bit promotions are retained as defense-in-depth and their comments relabeled accordingly (they are not CVE-2026-6682). The SBOM cve-exclude-list reason is updated to describe the FAT32 overflow and its fix.