Tech News

FatFs: 7 Unpatched Flaws Put Millions of Embedded Systems at Risk

Seven flaws, one library, and potentially massive impact. On July 1, 2026, runZero published a report on 7 vulnerabilities discovered in FatFs, a small file system library that enables FAT/exFAT read and write access on USB drives and SD cards. The problem: this code is embedded everywhere in the IoT world: surveillance cameras, drones, industrial controllers, hardware crypto wallets. What are the risks? How can you stay protected? Here’s the essential information you need to know.

A Booby-Trapped SD Card and the Device Goes Down

To exploit the 7 vulnerabilities discovered by runZero, the methodology appears to be the same: the device tries to read a volume or firmware image that has been deliberately malformed, and FatFs mishandles the reading of the corrupted data.

Although there is not a single critical flaw, the most serious one is CVE-2026-6682 (CVSS 7.6). It is an integer overflow in the code that mounts a FAT32 volume (mount_volume()). A flawed calculation produces an incorrect file size, which the following code then treats as a real read length, leading to memory corruption and then code execution. Exploiting this flaw can happen through USB storage, an SD card, and even an OTA update mechanism.

Here are the 6 other flaws, ranked by severity according to runZero:

  • CVE-2026-6687 (7.6): on an exFAT volume, an overly long volume label (in other words, the media name) overflows the buffer meant to store it when the code reads it (f_getlabel()). This causes memory corruption.
  • CVE-2026-6688 (7.6): when media contains a file with a very long name (LFN), FatFs returns that name to the program using it. However, many of these programs copy it into a fixed-size memory area without checking its length: the overly long name then overflows that area and corrupts memory. Because the faulty code is found in each product integrating FatFs, and not in FatFs itself, the flaw is difficult to fix at the source.
  • CVE-2026-6685 (6.1): an arithmetic overflow in cache handling on fragmented volumes, which can silently corrupt data.
  • CVE-2026-6683 (4.6): a divide-by-zero in exFAT that crashes the device. In an update flow, it can "brick" the hardware. Also reachable through some OTA updates.
  • CVE-2026-6686 (4.6): a file extended beyond its end can leak leftover data from previously deleted files.
  • CVE-2026-6684 (4.6): a malformed GPT partition table can freeze the device at mount time. This is the only one of the seven that has been fixed upstream, in FatFs R0.16.

runZero had already manually audited FatFs back in 2017, with several days of fuzzing effort, and found nothing. Returning to the same code in March 2026, the research team managed to identify these flaws with the help of AI. A setup based on Visual Studio Code, GitHub Copilot in auto mode, and a few basic prompts was enough to reach these discoveries. The model built a fuzzer on its own, which surfaced bugs that the manual audit had missed, while also confirming that they were exploitable.

The first problem is that this library is widely used, which means millions of devices are affected. "The affected ecosystem includes several major non-hobbyist platforms, such as Espressif's ESP-IDF, STMicroelectronics' STM32Cube middleware, the Zephyr real-time operating system, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung's TizenRT, and SWUpdate, with downstream applications in consumer IoT, industrial controllers, drones, crypto wallets, and more," the researchers note in their report.

The second problem is that many embedded systems have neither ASLR nor memory protection. As a result, according to runZero, even minimal physical access to a vulnerable device can lead to a jailbreak. "For example, security cameras with SD card storage, voting machines equipped with USB file readers, ATMs, and practically any other device with a screen that users are expected to touch.", the report says.

A Component Everywhere, an Unreachable Maintainer

The third problem, and probably the most important one, is that FatFs is developed by a single developer who cannot be reached! runZero says it made repeated attempts to contact the maintainer without ever getting a response.

As a result, there is no upstream fix for the memory corruption flaws, no security mailing list, and no way for the many products shipping FatFs to know they are affected. This means all manufacturers using this library will have to work on fixes in their local version. In any case, there is a good chance they are already using a modified version of the library.

Either way, there are millions of vulnerable devices and it is highly likely that most of them will remain vulnerable.... At best, it will take months... This is what happens when a small library is used across an entire industry segment. runZero also did not hesitate to bring back the famous XKCD comic to illustrate the situation.

As of today, no attacks exploiting these vulnerabilities have been reported, but that could change.

Sources:

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.