Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
Key Takeaways Seven new vulnerabilities, ranging from Medium to High severity, have been discovered in FatFs, a widely used FAT/exFAT filesystem driver for embedded and IoT devices. Millions of...
Key Takeaways
- Seven new vulnerabilities, ranging from Medium to High severity, have been discovered in FatFs, a widely used FAT/exFAT filesystem driver for embedded and IoT devices.
- Millions of devices are potentially affected, including consumer IoT, industrial controllers, drones, and crypto wallets, across platforms like Espressif ESP-IDF, STM32Cube, and Zephyr RTOS.
- The flaws, identified by runZero researchers with AI assistance, can be triggered by crafted media or update channels, potentially leading to code execution, data corruption, or denial-of-service.
- No upstream patches have been released due to a lack of response from the FatFs maintainer; implementers must audit their vendored code and prepare for eventual patch rollouts.
Widespread FatFs Vulnerabilities Impact Millions of Embedded Devices
Cybersecurity researchers at runZero have uncovered seven critical vulnerabilities within FatFs, a pervasive lightweight FAT/exFAT filesystem driver integral to countless embedded and IoT ecosystems. These newly disclosed flaws, assigned CVEs with CVSS scores ranging from Medium to High, present a significant risk across a vast spectrum of devices.
Table Of Content
The impact of these vulnerabilities is far-reaching, affecting foundational platforms such as Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate. This broad adoption means the vulnerabilities extend into critical infrastructure, consumer IoT products, industrial control systems, unmanned aerial vehicles (drones), and even cryptocurrency wallets.
AI-Assisted Discovery
This recent research builds upon an earlier 2017 manual audit and fuzzing effort that yielded only minor findings. However, in March 2026, runZero revisited the FatFs codebase with a novel approach, leveraging Visual Studio Code and GitHub Copilot in “auto” mode. This AI-assisted method, executed without custom harnesses or dedicated fuzzing loops, proved instrumental in identifying previously overlooked bugs and validating their real-world exploitability across diverse embedded scenarios. This success underscores the increasing utility of artificial intelligence in uncovering long-tail vulnerabilities within complex supply chains.
Detailed Vulnerability Breakdown
High-Severity Flaws (CVSS 7.6)
- CVE-2026-6682: An integer overflow vulnerability resides in the
mount_volume()function during FAT32 mounting operations. This flaw can lead to attacker-controlled file-size metadata, which could subsequently trigger a heap or stack overflow, potentially enabling arbitrary code execution. - CVE-2026-6687: The
f_getlabel()function contains an uncapped exFAT label-length field. This allows for oversized writes into caller-provided stack buffers, creating a clear memory-corruption primitive that attackers could exploit. - CVE-2026-6688: When Long Filename (LFN) support is enabled, oversized
fno.fnamevalues can overflow fixed-size buffers in downstream callers utilizing functions likestrcpyorsprintf. A complete resolution for this issue necessitates changes at the wrapper level, although FatFs could enhance its truncation signaling mechanisms.
Medium-Severity Flaws (CVSS 4.6 – 6.1)
- CVE-2026-6685 (CVSS 6.1): An unsigned-subtraction wraparound bug exists in the dirty-cache handling for fragmented volumes. This can lead to stale cache behavior and out-of-bounds memory effects, introducing a risk of silent data corruption.
- CVE-2026-6683 (CVSS 4.6): A divide-by-zero error can be triggered in exFAT sync/write paths through specially crafted media. This creates reliable crash conditions, which are particularly concerning for critical processes such as over-the-air (OTA) updates.
- CVE-2026-6686 (CVSS 4.6): Seeking beyond the end-of-file (EOF) exposes uninitialized cluster data. This vulnerability can leak stale content from previously deleted files, posing a risk in shared-media or multi-stage boot environments.
- CVE-2026-6684 (CVSS 4.6): Implementations prior to R0.16 lack proper GPT entry-count validation. This absence allows for unbounded partition-scan loops, which can lead to a denial-of-service condition during mount operations. The upstream R0.16 version already addresses this, shifting the responsibility to downstream implementers for upgrades.
These vulnerabilities are primarily triggerable through maliciously crafted FAT, exFAT, or GPT images. Such images can be introduced via removable media (e.g., USB drives, SD cards) or through auto-mounted update channels. In embedded contexts, where devices frequently lack advanced security features like Address Space Layout Randomization (ASLR) and robust memory protection, physical access to a vulnerable device can directly translate into a full system compromise.
Affected device categories are broad, encompassing security cameras, automated teller machines (ATMs), electronic voting machines, and any hardware equipped with publicly accessible USB or SD card interfaces.
runZero attempted multiple times to establish contact with the FatFs maintainer and involved JPCERT/CC early in the disclosure process, but received no response. Given that most implementers maintain heavily vendored and locally modified versions of FatFs, any eventual upstream patches will necessitate careful validation before widespread adoption.
What You Should Do
- Audit Vendored Code: Implementers should immediately conduct thorough security audits of their specific vendored FatFs codebases to identify and understand the presence of these vulnerabilities.
- Review Wrapper Implementations: Pay close attention to how filename and file-size handling are managed in any custom wrappers or application-level code interacting with FatFs. Ensure robust input validation and buffer management.
- Prepare for Patches: Although no upstream patches are currently available, begin planning for future patch rollouts. This includes assessing the effort required for integration and validation within your specific device ecosystem.
- Implement Defense-in-Depth: Where possible, deploy additional layers of security, such as secure boot, access controls, and network segmentation, to mitigate the impact of potential exploitation, especially for devices with exposed interfaces.
- Monitor for Updates: Stay vigilant for any future communications from runZero, JPCERT/CC, or the FatFs community regarding potential mitigations or patches.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.