Seven Flaws Found in FatFs Filesystem Library Used in Embedded Devices
Security researchers at runZero have disclosed seven vulnerabilities in FatFs, a compact filesystem library widely embedded in firmware for devices that read and write FAT and exFAT media. The softwar...
Security researchers at runZero have disclosed seven vulnerabilities in FatFs, a compact filesystem library widely embedded in firmware for devices that read and write FAT and exFAT media. The software is used in products ranging from security cameras and drones to industrial controllers, hardware wallets, and other systems built on real-time operating systems.
The issues are significant because many embedded devices do not include the memory protections common on laptops and phones. In some cases, a malicious USB drive, SD card, or firmware image could trigger memory corruption, crashes, data leaks, or even code execution. runZero noted that on exposed hardware, physical access to a port or storage slot can be enough to create a serious compromise.
What was found
- CVE-2026-6682 — a FAT32 mount integer overflow that can lead to memory corruption and possible code execution.
- CVE-2026-6687 — an exFAT volume-label parsing issue that can overflow a buffer.
- CVE-2026-6688 — long filenames can overflow code that wraps FatFs in downstream projects.
- CVE-2026-6685 — a cache-handling math error that may corrupt data on fragmented volumes.
- CVE-2026-6683 — an exFAT divide-by-zero condition that can crash devices.
- CVE-2026-6686 — a flaw that may expose remnants of previously deleted files.
- CVE-2026-6684 — a malformed GPT partition table can hang a device during mounting.
According to runZero, only one of the seven issues has been addressed in an upstream release of FatFs. The remaining bugs appear to require fixes from downstream vendors that bundle the library into their own firmware stacks. The company said it attempted to contact the maintainer and also involved Japan’s JPCERT/CC, but did not receive a response.
Affected environments can include Espressif ESP-IDF, STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate. That places the burden on device makers to identify where FatFs is used and to review wrapper code, filename handling, and file-size logic.
runZero said it had not seen active exploitation at the time of disclosure, but it published proof-of-concept materials and an exploit demonstration to support testing and remediation. The team also highlighted the role of AI-assisted development and fuzzing in uncovering bugs that earlier manual review missed.
For organizations and consumers using affected devices, the practical advice is to limit untrusted physical media, scrutinize firmware updates, and watch for vendor patches.
