Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
PamStealer Mimics Maccy, Silently Harvests Data
July 4, 2026
Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
July 4, 2026
Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access
July 4, 2026
Home/CyberSecurity News/Critical FatFs Vulnerabilities Expose Millions of Embedded Devices
CyberSecurity News

Critical FatFs Vulnerabilities Expose Millions of Embedded Devices

Key Takeaways Seven new vulnerabilities, ranging from Medium to High severity, have been discovered in FatFs, a widely used FAT/exFAT filesystem driver for embedded and IoT devices. Millions of...

David kimber
David kimber
July 4, 2026 4 Min Read
2 0

Key Takeaways

  • Seven new vulnerabilities, ranging from Medium to High severity, have been discovered in FatFs, a widely used FAT/exFAT filesystem driver for embedded and IoT devices.
  • Millions of devices are potentially affected, including consumer IoT, industrial controllers, drones, and crypto wallets, across platforms like Espressif ESP-IDF, STM32Cube, and Zephyr RTOS.
  • The flaws, identified by runZero researchers with AI assistance, can be triggered by crafted media or update channels, potentially leading to code execution, data corruption, or denial-of-service.
  • No upstream patches have been released due to a lack of response from the FatFs maintainer; implementers must audit their vendored code and prepare for eventual patch rollouts.

Widespread FatFs Vulnerabilities Impact Millions of Embedded Devices

Cybersecurity researchers at runZero have uncovered seven critical vulnerabilities within FatFs, a pervasive lightweight FAT/exFAT filesystem driver integral to countless embedded and IoT ecosystems. These newly disclosed flaws, assigned CVEs with CVSS scores ranging from Medium to High, present a significant risk across a vast spectrum of devices.

Table Of Content

  • Key Takeaways
  • Widespread FatFs Vulnerabilities Impact Millions of Embedded Devices
  • AI-Assisted Discovery
  • Detailed Vulnerability Breakdown
  • High-Severity Flaws (CVSS 7.6)
  • Medium-Severity Flaws (CVSS 4.6 – 6.1)
  • What You Should Do

The impact of these vulnerabilities is far-reaching, affecting foundational platforms such as Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate. This broad adoption means the vulnerabilities extend into critical infrastructure, consumer IoT products, industrial control systems, unmanned aerial vehicles (drones), and even cryptocurrency wallets.

AI-Assisted Discovery

This recent research builds upon an earlier 2017 manual audit and fuzzing effort that yielded only minor findings. However, in March 2026, runZero revisited the FatFs codebase with a novel approach, leveraging Visual Studio Code and GitHub Copilot in “auto” mode. This AI-assisted method, executed without custom harnesses or dedicated fuzzing loops, proved instrumental in identifying previously overlooked bugs and validating their real-world exploitability across diverse embedded scenarios. This success underscores the increasing utility of artificial intelligence in uncovering long-tail vulnerabilities within complex supply chains.

Detailed Vulnerability Breakdown

High-Severity Flaws (CVSS 7.6)

  • CVE-2026-6682: An integer overflow vulnerability resides in the mount_volume() function during FAT32 mounting operations. This flaw can lead to attacker-controlled file-size metadata, which could subsequently trigger a heap or stack overflow, potentially enabling arbitrary code execution.
  • CVE-2026-6687: The f_getlabel() function contains an uncapped exFAT label-length field. This allows for oversized writes into caller-provided stack buffers, creating a clear memory-corruption primitive that attackers could exploit.
  • CVE-2026-6688: When Long Filename (LFN) support is enabled, oversized fno.fname values can overflow fixed-size buffers in downstream callers utilizing functions like strcpy or sprintf. A complete resolution for this issue necessitates changes at the wrapper level, although FatFs could enhance its truncation signaling mechanisms.

Medium-Severity Flaws (CVSS 4.6 – 6.1)

  • CVE-2026-6685 (CVSS 6.1): An unsigned-subtraction wraparound bug exists in the dirty-cache handling for fragmented volumes. This can lead to stale cache behavior and out-of-bounds memory effects, introducing a risk of silent data corruption.
  • CVE-2026-6683 (CVSS 4.6): A divide-by-zero error can be triggered in exFAT sync/write paths through specially crafted media. This creates reliable crash conditions, which are particularly concerning for critical processes such as over-the-air (OTA) updates.
  • CVE-2026-6686 (CVSS 4.6): Seeking beyond the end-of-file (EOF) exposes uninitialized cluster data. This vulnerability can leak stale content from previously deleted files, posing a risk in shared-media or multi-stage boot environments.
  • CVE-2026-6684 (CVSS 4.6): Implementations prior to R0.16 lack proper GPT entry-count validation. This absence allows for unbounded partition-scan loops, which can lead to a denial-of-service condition during mount operations. The upstream R0.16 version already addresses this, shifting the responsibility to downstream implementers for upgrades.

These vulnerabilities are primarily triggerable through maliciously crafted FAT, exFAT, or GPT images. Such images can be introduced via removable media (e.g., USB drives, SD cards) or through auto-mounted update channels. In embedded contexts, where devices frequently lack advanced security features like Address Space Layout Randomization (ASLR) and robust memory protection, physical access to a vulnerable device can directly translate into a full system compromise.

Affected device categories are broad, encompassing security cameras, automated teller machines (ATMs), electronic voting machines, and any hardware equipped with publicly accessible USB or SD card interfaces.

runZero attempted multiple times to establish contact with the FatFs maintainer and involved JPCERT/CC early in the disclosure process, but received no response. Given that most implementers maintain heavily vendored and locally modified versions of FatFs, any eventual upstream patches will necessitate careful validation before widespread adoption.

What You Should Do

  • Audit Vendored Code: Implementers should immediately conduct thorough security audits of their specific vendored FatFs codebases to identify and understand the presence of these vulnerabilities.
  • Review Wrapper Implementations: Pay close attention to how filename and file-size handling are managed in any custom wrappers or application-level code interacting with FatFs. Ensure robust input validation and buffer management.
  • Prepare for Patches: Although no upstream patches are currently available, begin planning for future patch rollouts. This includes assessing the effort required for integration and validation within your specific device ecosystem.
  • Implement Defense-in-Depth: Where possible, deploy additional layers of security, such as secure boot, access controls, and network segmentation, to mitigate the impact of potential exploitation, especially for devices with exposed interfaces.
  • Monitor for Updates: Stay vigilant for any future communications from runZero, JPCERT/CC, or the FatFs community regarding potential mitigations or patches.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Critical Linux Kernel Vulnerability CVE-2023-0179 Grants Root Access

Next Post

PamStealer Mimics Maccy, Silently Harvests Data

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Alibaba Bans Internal Use of Claude AI Over Backdoor Concerns
July 3, 2026
Apache ActiveMQ Critical Vulnerabilities Allow DoS Attacks, System Crashes
July 3, 2026
Scammers Impersonate Brands in Gambling Ads to Drive Casino Traffic
July 3, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us