VYPR
advisoryPublished Jul 3, 2026· 1 source

Seven Unpatched Flaws in Widely Used FatFs Library Expose Millions of Embedded Devices

Security researchers have disclosed seven vulnerabilities in the FatFs filesystem library, a component embedded in millions of devices, potentially allowing attackers to corrupt memory and execute code.

Security firm runZero has disclosed seven vulnerabilities affecting the FatFs filesystem library, a critical component used by countless embedded devices to read and write FAT and exFAT formats, commonly found on USB drives and SD cards. The library's ubiquity means these unpatched flaws pose a significant risk to a vast array of hardware, including security cameras, drones, industrial controllers, and hardware cryptocurrency wallets.

On the most vulnerable systems, an attacker could gain full control by introducing a specially crafted USB drive, SD card, or firmware update file. Many embedded devices lack the robust memory protections found on personal computers and smartphones, making them particularly susceptible. runZero notes that on such systems, "any physical access leads to a jailbreak," turning devices like public kiosks, ATMs, or voting machines into potential gateways for attackers.

The seven vulnerabilities, rated by runZero with CVSS scores ranging from Medium to High, all stem from FatFs mishandling deliberately malformed data during read or write operations. The most severe, CVE-2026-6682 (CVSS 7.6), is an integer overflow during the mounting of a FAT32 volume. This flaw can lead to incorrect file size calculations, which are then treated as legitimate by subsequent code, ultimately resulting in memory corruption and potential code execution. This particular vulnerability can be triggered not only by physical media but also through certain firmware update mechanisms.

Other significant flaws include CVE-2026-6687 and CVE-2026-6688, both rated High (CVSS 7.6), which exploit issues with volume labels and long filenames, respectively, to create memory corruption footholds. CVE-2026-6685 (CVSS 6.1, Medium) can silently corrupt data on fragmented volumes due to a mathematical wrap in cache handling. CVE-2026-6683 (CVSS 4.6, Medium) can cause a denial-of-service or even brick hardware if exploited during a firmware update, while CVE-2026-6686 (CVSS 4.6, Medium) could lead to sensitive data leakage from previously deleted files.

A significant challenge in addressing these vulnerabilities is the FatFs library's maintenance model. runZero reports that the library is maintained by a single developer with whom they, and even Japan's JPCERT/CC, have been unable to establish contact. This lack of communication means there are no upstream fixes available for the critical memory corruption bugs, nor a dedicated security mailing list for affected vendors to be notified. While the latest release (R0.16) does include a fix for CVE-2026-6684, which prevents a device hang related to malformed GPT partition tables, the other six vulnerabilities remain unaddressed at the source.

The problem is further compounded by the fact that FatFs is bundled into numerous development frameworks and platforms, including Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, and others. This pushes the burden of patching onto downstream vendors, a process that runZero anticipates will take years, drawing parallels to the slow patching of the PixieFail vulnerabilities in EDK II firmware. The lack of a responsive upstream maintainer significantly hinders the ability of these vendors to provide timely security updates.

While no in-the-wild exploitation has been reported as of runZero's disclosure, proof-of-concept exploit code has been publicly released, making the vulnerabilities readily accessible to malicious actors. runZero's research also highlights a growing trend where AI-powered tools, like the LLM-based fuzzer they employed, are becoming increasingly effective at discovering complex memory-safety bugs that traditional methods might miss. This underscores the need for proactive security auditing and faster patching cycles across the embedded device ecosystem.

Given the widespread impact and the challenges in remediation, users of affected devices are advised to treat physical ports and update channels with extreme caution, limiting access to removable media and closely monitoring for firmware updates from device manufacturers. Developers incorporating FatFs are urged to audit their code, particularly around filename and file size handling, and prepare for the complex task of patching their products.

Synthesized by Vypr AI