Unpatched Flaws in FatFs Threaten Millions of Embedded Devices

Security researchers at runZero have identified seven vulnerabilities in FatFs, a lightweight filesystem library widely used in embedded systems to handle FAT and exFAT formats on storage media like USB drives and SD cards. These flaws pose significant risks to a vast array of devices, including security cameras, drones, industrial controllers, and hardware cryptocurrency wallets.

FatFs is integral to the firmware of numerous devices operating on real-time operating systems. The discovered vulnerabilities could allow attackers to execute arbitrary code by introducing maliciously crafted storage media or firmware updates. Given that many embedded systems lack advanced memory protection mechanisms, such exploits could lead to complete device compromise.

The vulnerabilities, rated from medium to high severity, include:

  • CVE-2026-6682 (CVSS 7.6): An integer overflow during FAT32 volume mounting, potentially leading to memory corruption and code execution.
  • CVE-2026-6687 (CVSS 7.6): Buffer overflow via an exFAT volume-label field, enabling memory corruption.
  • CVE-2026-6688 (CVSS 7.6): Overflow caused by long filenames, particularly affecting wrapper code around FatFs.
  • CVE-2026-6685 (CVSS 6.1): Cache handling issue on fragmented volumes, leading to silent data corruption.
  • CVE-2026-6683 (CVSS 4.6): Divide-by-zero error in exFAT handling, causing device crashes and potential bricking during updates.
  • CVE-2026-6686 (CVSS 4.6): File extension beyond its end, leaking data from previously deleted files.
  • CVE-2026-6684 (CVSS 4.6): Malformed GPT partition table causing device hangs during mounting.

Addressing these vulnerabilities is challenging due to the decentralized nature of FatFs maintenance. The library is managed by a single developer without a formal security response mechanism. Despite runZero’s efforts to coordinate with the maintainer and Japan’s JPCERT/CC, no responses have been received, leaving the majority of these issues unpatched at the source level.

Notably, CVE-2026-6684 has been addressed in FatFs version R0.16, mitigating the GPT partition table hang. However, the remaining vulnerabilities require downstream vendors to implement their own patches. Platforms affected include Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate, impacting a broad spectrum of consumer IoT devices, industrial equipment, drones, and cryptocurrency wallets.

As of July 1, 2026, there have been no reported exploits leveraging these vulnerabilities. Nevertheless, runZero has released proof-of-concept disk images and a QEMU-based exploit example, highlighting the potential for real-world attacks.

The widespread use of FatFs in embedded systems underscores the critical need for robust security practices in open-source software development. This situation highlights the importance of proactive vulnerability management and the challenges posed by single-maintainer projects in ensuring the security of devices that millions rely upon daily.