Security researchers have identified seven vulnerabilities in FatFs, a widely used lightweight FAT/exFAT filesystem driver integral to numerous embedded and IoT devices. These flaws, assigned CVE identifiers and rated from Medium to High severity, could potentially compromise millions of devices across various platforms.
Overview of FatFs and Its Significance
FatFs is a generic FAT/exFAT filesystem module designed for small embedded systems. Its lightweight and efficient design has led to its adoption in a broad range of platforms, including Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate. Consequently, devices such as consumer IoT products, industrial controllers, drones, and cryptocurrency wallets rely on FatFs for filesystem operations.
Details of the Identified Vulnerabilities
The vulnerabilities discovered encompass various issues that could be exploited under specific conditions:
- CVE-2026-6682 (CVSS 7.6, High): An integer overflow in the
mount_volume()function during FAT32 mounting can lead to attacker-controlled file-size metadata, potentially resulting in heap or stack overflows and code execution. - CVE-2026-6687 (CVSS 7.6, High): The
f_getlabel()function’s handling of exFAT label-length fields lacks proper bounds checking, allowing oversized writes into stack buffers and creating opportunities for memory corruption. - CVE-2026-6688 (CVSS 7.6, High): When long filenames (LFN) are enabled, the
fno.fnamevalues can overflow fixed-size buffers in downstream functions usingstrcpyorsprintf, necessitating changes at the wrapper level to fully address the issue. - CVE-2026-6685 (CVSS 6.1, Medium): Unsigned-subtraction wraparound in dirty-cache handling on fragmented volumes can cause stale cache behavior and out-of-bounds memory effects, risking silent data corruption.
- CVE-2026-6683 (CVSS 4.6, Medium): A divide-by-zero error in exFAT sync/write paths, triggerable via crafted media, can lead to reliable crash conditions, particularly concerning for over-the-air (OTA) update processes.
- CVE-2026-6686 (CVSS 4.6, Medium): Seeking beyond the end of a file exposes uninitialized cluster data, potentially leaking stale content from previously deleted files in shared-media or multi-stage boot environments.
- CVE-2026-6684 (CVSS 4.6, Medium): Pre-R0.16 implementations lack validation for GPT entry counts, allowing unbounded partition-scan loops and mount-time denial-of-service attacks. Upstream R0.16 addresses this issue, but downstream upgrades are necessary.
These vulnerabilities can be exploited through crafted FAT, exFAT, or GPT images delivered via removable media or auto-mounted update channels. Devices lacking Address Space Layout Randomization (ASLR) and memory protection are particularly susceptible, as physical access could lead to full system compromise. Affected device classes include security cameras, ATMs, voting machines, and any hardware with publicly accessible USB or SD card interfaces.
Discovery and Disclosure Process
The research revisited a 2017 manual audit and fuzzing effort that had previously identified only minor bugs. In March 2026, researchers employed Visual Studio Code and GitHub Copilot in “auto” mode, without custom harnesses or fuzzing loops, to re-examine the codebase. This AI-assisted approach uncovered previously overlooked bugs and validated their exploitability across multiple embedded scenarios, highlighting the growing role of artificial intelligence in identifying long-tail supply chain vulnerabilities.
Efforts to contact the FatFs maintainer and involve JPCERT/CC early in the process were unsuccessful, as no response was received. Given that many implementers maintain heavily modified versions of FatFs, upstream patches require careful validation before adoption. Downstream implementers are urged to audit their versions of FatFs, review filename and file-size handling, and apply necessary patches to mitigate these vulnerabilities.
These findings underscore the critical importance of continuous security assessments in embedded systems. As IoT devices become increasingly prevalent, ensuring the integrity of foundational components like filesystem drivers is essential to prevent potential exploits that could compromise vast networks of connected devices.