Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. 7 Unpatched Flaws Disclosed in FatFs Filesystem Used in Millions of Embedded Devices
7 Unpatched Flaws Disclosed in FatFs Filesystem Used in Millions of Embedded Devices
NEWS

7 Unpatched Flaws Disclosed in FatFs Filesystem Used in Millions of Embedded Devices

Security firm runZero has disclosed seven vulnerabilities in FatFs, a widely used FAT/exFAT filesystem library embedded in cameras, drones, crypto...

Dylan H.

News Desk

July 3, 2026
4 min read

Seven Vulnerabilities in FatFs — The Filesystem in Millions of Embedded Devices

Security firm runZero has disclosed seven vulnerabilities in FatFs, a small open-source library that allows embedded devices to read and write FAT and exFAT filesystems — the same formats used on USB drives and SD cards. Only one of the seven flaws has been patched upstream; the remaining six are unresolved.

The impact is broad: FatFs ships inside the firmware of security cameras, drones, industrial controllers, hardware cryptocurrency wallets, medical devices, and countless other embedded systems. Downstream platforms that bundle it include Espressif ESP-IDF, STMicroelectronics STM32Cube, MicroPython, ArduPilot, and SWUpdate.


What Is FatFs?

FatFs is a royalty-free, portable FAT/exFAT filesystem module written in C by a single developer. It is designed to run on microcontrollers and RTOSes with minimal resources, making it a popular choice for embedded firmware. It ships inside or alongside major RTOS ecosystems including:

  • Zephyr
  • Mbed
  • RT-Thread
  • Samsung TizenRT
  • Espressif ESP-IDF
  • STM32Cube (STMicroelectronics)

The 7 Vulnerabilities

All bugs are triggered by crafted FAT, exFAT, or GPT images delivered via removable media (USB drives, SD cards) or over-the-air update channels. Severity ratings span Medium to High (CVSS 4.6–7.6).

CVECVSSTypeDescription
CVE-2026-66827.6Memory CorruptionInteger overflow during FAT32 mount produces false file size, enabling memory corruption and potential code execution
CVE-2026-66877.6Buffer OverflowexFAT volume-label field overflows a buffer, creating a memory corruption foothold
CVE-2026-66887.6Buffer OverflowLFN (Long File Name) path processing overflows fixed-size caller buffers via strcpy/sprintf
CVE-2026-66856.1Data CorruptionArithmetic wrap on fragmented volumes causes out-of-bounds effects and silent data corruption
CVE-2026-66844.6DoSMalformed GPT table hangs device during mount — only patched flaw, fixed in FatFs R0.16
Two additional CVEsTBDVariousDetails in full runZero disclosure

Why These Flaws Remain Unpatched

FatFs is maintained by a single developer with no security mailing list, no CVE history prior to this disclosure, and no patch notification mechanism for downstream users. When runZero attempted responsible disclosure, they escalated to Japan's JPCERT/CC after receiving no response — coordination remains unresolved.

Every downstream vendor — camera manufacturers, drone makers, industrial control vendors — must independently discover and apply fixes to their bundled FatFs copies. This is the fundamental challenge of supply-chain security in the embedded ecosystem.


Attack Surface

The vulnerabilities require an attacker to supply a crafted removable media image or malicious OTA update payload. This limits remote exploitation to scenarios where:

  • An attacker can physically insert a USB drive or SD card
  • An OTA update channel can be intercepted or manipulated

However, in operational contexts — smart factories, hospitals, unmanned aerial vehicles, and retail POS terminals — these conditions are routinely achievable.


AI-Assisted Fuzzing: A Dual-Use Warning

runZero disclosed that AI-assisted fuzzing using GitHub Copilot in VS Code found bugs that a 2017 manual security audit had missed. The researchers warned explicitly: adversaries now have the same capability. The barrier to finding zero-days in widely embedded open-source libraries has materially decreased.


Mitigations

ActionDetail
Upgrade to FatFs R0.16Patches the GPT hang (CVE-2026-6684) only
Vendor patchingDownstream vendors must independently audit and patch their FatFs integrations
Restrict removable mediaDisable or control USB/SD card access on sensitive embedded devices
OTA signing enforcementReject unsigned or unverified firmware update images
Input validationApply validation on all FAT/exFAT image ingestion paths at the application layer

Key Takeaways

  1. Seven vulnerabilities in FatFs affect millions of devices across cameras, drones, industrial controllers, crypto wallets, and more
  2. Only one flaw is patched (CVE-2026-6684 in FatFs R0.16) — six remain unresolved upstream
  3. Single-maintainer open-source libraries create systemic supply chain risk in embedded systems
  4. AI-assisted fuzzing is lowering the bar for finding embedded library vulnerabilities — offense and defense alike
  5. Physical access or OTA channel control is required for exploitation — but both are realistic in many deployment contexts

References

  • runZero — Seven FatFs Bugs, One Very Large Blast Radius
  • The Hacker News — Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
  • Risky Biz — FatFs Bugs Enable Physical Access Attacks on a Load of Devices
#Embedded Security#FatFs#IoT#Vulnerability Disclosure#runZero#Path Traversal#Supply Chain

Related Articles

Weekly Recap: CI/CD Backdoor, FBI Buys Location Data

This week's cybersecurity roundup covers supply chain attacks hitting CI/CD pipelines, long-running IoT botnets finally disrupted, the FBI's warrantless...

4 min read

What Changes When AI Writes Your Code: Supply Chain Security in the Age of LLMs

Software supply chain security was already complex. Now that AI coding assistants are writing production code, security teams face new questions about provenance, SBOM coverage, and trust boundaries.

5 min read

North Korean Hackers Target Open Source Developers in Supply Chain Attacks

The PolinRider campaign has compromised more than 100 legitimate open source packages and repositories to deliver a backdoor and information stealer targeting developers worldwide.

5 min read
Back to all News