Vulnerability

Seven New CVEs in FatFs Filesystem Driver Put Millions of Embedded and IoT Devices at Risk

dark6 6 July 2026
Read Time:3 Minute, 34 Second

Security researchers at runZero have disclosed seven new vulnerabilities in FatFs, the lightweight FAT/exFAT filesystem driver embedded in an enormous range of consumer and industrial devices. Because FatFs sits at the heart of so many low-level platforms, the flaws collectively expose everything from security cameras and drones to ATMs, voting machines, and cryptocurrency wallets.

A Ubiquitous Driver Gets a Fresh Look

FatFs underpins some of the most widely used embedded development platforms in the world, including Espressif’s ESP-IDF, STMicroelectronics’ STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung’s TizenRT, and SWUpdate. A manual audit and fuzzing pass back in 2017 turned up only minor issues, leaving the impression that the codebase was relatively solid. That assumption did not hold up under a second look.

In March 2026, runZero revisited the FatFs codebase using an AI-assisted workflow built around GitHub Copilot running in autonomous mode, without custom fuzzing harnesses. The approach surfaced bugs the earlier manual review had missed and helped validate real-world exploitability across several embedded use cases — another data point in the growing trend of AI tools accelerating long-tail vulnerability research in legacy codebases.

The Seven Vulnerabilities

  • CVE-2026-6682 (CVSS 7.6, High) — An integer overflow in mount_volume() during FAT32 mounting produces attacker-controlled file-size metadata, which can lead to heap or stack overflow and potential code execution.
  • CVE-2026-6687 (CVSS 7.6, High) — An uncapped exFAT label-length field in f_getlabel() allows oversized writes into caller-supplied stack buffers, creating a clean memory-corruption primitive.
  • CVE-2026-6688 (CVSS 7.6, High) — With long filenames enabled, oversized filename values can overflow fixed-size buffers in downstream code that uses unsafe string-copy functions.
  • CVE-2026-6685 (CVSS 6.1, Medium) — An unsigned-subtraction wraparound in dirty-cache handling on fragmented volumes can cause stale cache behavior and out-of-bounds effects, risking silent data corruption.
  • CVE-2026-6683 (CVSS 4.6, Medium) — A divide-by-zero in exFAT sync/write paths, triggerable via crafted media, creates a reliable crash condition — particularly concerning during over-the-air update processes.
  • CVE-2026-6686 (CVSS 4.6, Medium) — Seeking beyond end-of-file can expose uninitialized cluster data, leaking content from previously deleted files in shared-media or multi-stage boot environments.
  • CVE-2026-6684 (CVSS 4.6, Medium) — Implementations prior to FatFs R0.16 lack GPT entry-count validation, allowing unbounded partition-scan loops and mount-time denial-of-service.

Why the Real-World Risk Is Higher Than the CVSS Scores Suggest

None of the seven bugs carry a Critical rating, but their practical impact is amplified by where FatFs runs. These flaws are triggerable through crafted FAT, exFAT, or GPT images delivered via removable media or auto-mounted update channels. Embedded devices frequently lack ASLR and other memory protections found on general-purpose computers, meaning physical access to a USB port or SD card slot can translate directly into a full compromise.

Affected device classes reportedly include security cameras, ATMs, voting machines, and any hardware exposing USB or SD card interfaces to the public — precisely the kind of unattended, physically accessible equipment where a malicious storage device is a realistic attack vector.

Patch Coordination Is Complicated

runZero says it made multiple attempts to contact the FatFs maintainer and involved JPCERT/CC early in the disclosure process but received no response. Compounding the problem, most device makers run heavily vendored, locally modified copies of FatFs rather than a clean upstream version, meaning any fix requires careful validation before it can be rolled into a product.

  • Audit vendored FatFs code for the specific functions named above, especially mount_volume(), f_getlabel(), and long-filename handling
  • Review wrapper code around FatFs for unsafe string-copy usage that could be exploited via oversized filenames
  • Upgrade to FatFs R0.16 or later where GPT partition scanning is used
  • Restrict or monitor auto-mount behavior for removable and update media on unattended embedded devices

With FatFs embedded so deeply into the supply chain for IoT and industrial hardware, downstream vendors bear the real burden of remediation — and given typical embedded-device update cycles, many affected devices may remain vulnerable for years.

Leave a Reply

💬 [[ unisciti alla discussione! ]]


Se vuoi commentare su Seven New CVEs in FatFs Filesystem Driver Put Millions of Embedded and IoT Devices at Risk, utilizza la discussione sul Forum.
Condividi esempi, IOCs o tecniche di detection efficaci nel nostro 👉 forum community