
Researchers at runZero have disclosed seven security vulnerabilities in the widely used FatFs filesystem library, warning that the flaws could expose millions of embedded devices to attacks through malicious USB drives, SD cards, and, in some cases, firmware update mechanisms.
The vulnerabilities, assigned CVE-2026-6682 through CVE-2026-6688, range in severity from medium to high and affect a software component embedded in numerous IoT, industrial, and consumer products.
The findings were published by runZero, that revisited FatFs as part of a broader research project exploring AI-assisted vulnerability discovery in long-tail software supply chains. Moore said that while an earlier manual assessment in 2017 uncovered only minor issues, repeating the audit in March 2026 using GitHub Copilot to automatically generate fuzzing tools quickly revealed multiple previously overlooked vulnerabilities.
FatFs is a compact, open-source FAT/exFAT filesystem implementation written in C that has become a de facto standard for embedded systems because of its portability and permissive licensing. It is bundled directly into firmware and software development kits used by platforms including Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed OS, Samsung TizenRT, and SWUpdate, giving the vulnerabilities an unusually broad downstream impact.
Security flaws in FatFs
The most severe issue, tracked as CVE-2026-6682 (CVSS 7.6), is an integer overflow in the FAT32 mounting process that can allow a specially crafted filesystem image to corrupt memory and potentially achieve arbitrary code execution. Another high-severity flaw, CVE-2026-6687, can trigger a stack buffer overflow via a malicious exFAT volume label, while CVE-2026-6688 highlights a common integration problem in which applications copy long filenames into fixed-size buffers, creating additional opportunities for memory corruption. Other disclosed flaws can cause crashes, data corruption, information disclosure, or denial-of-service conditions.
Most attack scenarios require an attacker to supply a malicious FAT-formatted storage device, making removable media such as SD cards and USB drives the primary delivery mechanism. Devices such as security cameras, drones, industrial controllers, crypto wallets, voting systems, ATMs, and other embedded products that automatically mount inserted media are considered particularly exposed. However, runZero notes that two of the vulnerabilities could also affect over-the-air firmware update workflows if devices mount update images before verifying their integrity, creating potential remote attack paths in poorly secured update pipelines.
The researchers noted that the fragmented nature of the embedded ecosystem complicates remediation. FatFs is commonly copied directly into projects and then modified locally, meaning downstream vendors must independently identify whether their products contain vulnerable versions and apply fixes. RunZero said it attempted to contact the upstream maintainer and involved Japan's JPCERT/CC during the coordinated disclosure process but did not receive a response.
Rather than keeping the issues private, runZero opted to publish the findings, accompanying proof-of-concept code, and testing tools to help vendors identify affected products and validate patches.







Leave a Reply