Seven Vulnerabilities in FatFs — The Filesystem in Millions of Embedded Devices
Security firm runZero has disclosed seven vulnerabilities in FatFs, a small open-source library that allows embedded devices to read and write FAT and exFAT filesystems — the same formats used on USB drives and SD cards. Only one of the seven flaws has been patched upstream; the remaining six are unresolved.
The impact is broad: FatFs ships inside the firmware of security cameras, drones, industrial controllers, hardware cryptocurrency wallets, medical devices, and countless other embedded systems. Downstream platforms that bundle it include Espressif ESP-IDF, STMicroelectronics STM32Cube, MicroPython, ArduPilot, and SWUpdate.
What Is FatFs?
FatFs is a royalty-free, portable FAT/exFAT filesystem module written in C by a single developer. It is designed to run on microcontrollers and RTOSes with minimal resources, making it a popular choice for embedded firmware. It ships inside or alongside major RTOS ecosystems including:
- Zephyr
- Mbed
- RT-Thread
- Samsung TizenRT
- Espressif ESP-IDF
- STM32Cube (STMicroelectronics)
The 7 Vulnerabilities
All bugs are triggered by crafted FAT, exFAT, or GPT images delivered via removable media (USB drives, SD cards) or over-the-air update channels. Severity ratings span Medium to High (CVSS 4.6–7.6).
| CVE | CVSS | Type | Description |
|---|---|---|---|
| CVE-2026-6682 | 7.6 | Memory Corruption | Integer overflow during FAT32 mount produces false file size, enabling memory corruption and potential code execution |
| CVE-2026-6687 | 7.6 | Buffer Overflow | exFAT volume-label field overflows a buffer, creating a memory corruption foothold |
| CVE-2026-6688 | 7.6 | Buffer Overflow | LFN (Long File Name) path processing overflows fixed-size caller buffers via strcpy/sprintf |
| CVE-2026-6685 | 6.1 | Data Corruption | Arithmetic wrap on fragmented volumes causes out-of-bounds effects and silent data corruption |
| CVE-2026-6684 | 4.6 | DoS | Malformed GPT table hangs device during mount — only patched flaw, fixed in FatFs R0.16 |
| Two additional CVEs | TBD | Various | Details in full runZero disclosure |
Why These Flaws Remain Unpatched
FatFs is maintained by a single developer with no security mailing list, no CVE history prior to this disclosure, and no patch notification mechanism for downstream users. When runZero attempted responsible disclosure, they escalated to Japan's JPCERT/CC after receiving no response — coordination remains unresolved.
Every downstream vendor — camera manufacturers, drone makers, industrial control vendors — must independently discover and apply fixes to their bundled FatFs copies. This is the fundamental challenge of supply-chain security in the embedded ecosystem.
Attack Surface
The vulnerabilities require an attacker to supply a crafted removable media image or malicious OTA update payload. This limits remote exploitation to scenarios where:
- An attacker can physically insert a USB drive or SD card
- An OTA update channel can be intercepted or manipulated
However, in operational contexts — smart factories, hospitals, unmanned aerial vehicles, and retail POS terminals — these conditions are routinely achievable.
AI-Assisted Fuzzing: A Dual-Use Warning
runZero disclosed that AI-assisted fuzzing using GitHub Copilot in VS Code found bugs that a 2017 manual security audit had missed. The researchers warned explicitly: adversaries now have the same capability. The barrier to finding zero-days in widely embedded open-source libraries has materially decreased.
Mitigations
| Action | Detail |
|---|---|
| Upgrade to FatFs R0.16 | Patches the GPT hang (CVE-2026-6684) only |
| Vendor patching | Downstream vendors must independently audit and patch their FatFs integrations |
| Restrict removable media | Disable or control USB/SD card access on sensitive embedded devices |
| OTA signing enforcement | Reject unsigned or unverified firmware update images |
| Input validation | Apply validation on all FAT/exFAT image ingestion paths at the application layer |
Key Takeaways
- Seven vulnerabilities in FatFs affect millions of devices across cameras, drones, industrial controllers, crypto wallets, and more
- Only one flaw is patched (CVE-2026-6684 in FatFs R0.16) — six remain unresolved upstream
- Single-maintainer open-source libraries create systemic supply chain risk in embedded systems
- AI-assisted fuzzing is lowering the bar for finding embedded library vulnerabilities — offense and defense alike
- Physical access or OTA channel control is required for exploitation — but both are realistic in many deployment contexts