Critical Vulnerabilities Uncovered in Widely Used FatFs Filesystem Library
Security firm **runZero** has disclosed seven vulnerabilities in **FatFs**, a ubiquitous filesystem library embedded in countless real-time operating systems and devices. These flaws, ranging from medium to high severity, could allow attackers with physical access or via malicious firmware updates to achieve memory corruption and potentially execute arbitrary code on a vast array of embedded systems, including security cameras, drones, and industrial controllers.
Security firm **runZero** has brought to light seven critical vulnerabilities impacting **FatFs**, a compact filesystem library responsible for enabling devices to read and write **FAT** and **exFAT** formats commonly found on USB drives and SD cards.
The widespread integration of **FatFs** across various embedded systems, including security cameras, drones, industrial controllers, and hardware crypto wallets, makes these flaws particularly concerning. Many of these devices operate on real-time operating systems, often lacking the robust memory protections present in modern desktop and mobile environments.

### The Nature of the Flaws
The vulnerabilities, rated **CVSS** Medium to High, primarily stem from the device's mishandling of deliberately malformed storage volumes or firmware images. In the most severe cases, an attacker leveraging a booby-trapped USB drive, SD card, or update file could corrupt memory and execute their own code.
**runZero** emphasizes that for many embedded devices, "any physical access leads to a jailbreak." This means public kiosks, cameras with SD slots, ATMs, or voting machines with USB ports could be compromised with momentary physical access.
### Key Vulnerabilities Identified
The headline vulnerability is **CVE-2026-6682** (CVSS 7.6, High), an integer overflow within the FAT32 volume mounting code. This mathematical error can result in an incorrect file size, leading to memory corruption and potential code execution. This particular flaw is also reachable through certain firmware update mechanisms.
Here's a breakdown of all seven vulnerabilities, ranked by **runZero**:
* **CVE-2026-6682** (7.6, High): FAT32 mount integer overflow, leading to memory corruption and possible code execution. Accessible via physical media and some firmware updates.
* **CVE-2026-6687** (7.6, High): An exFAT volume-label field overflow, providing a memory-corruption foothold.
* **CVE-2026-6688** (7.6, High): Long filenames overflow wrapper code often used around **FatFs**, such as a `strcpy` of `fno.fname` into a fixed buffer. This is challenging to fix within **FatFs** alone.
* **CVE-2026-6685** (6.1, Medium): A math wrap in cache handling on fragmented volumes, potentially causing silent data corruption.
* **CVE-2026-6683** (4.6, Medium): An exFAT divide-by-zero error that crashes the device. In an update scenario, this could brick hardware. Also reachable via some firmware updates.
* **CVE-2026-6686** (4.6, Medium): A file extended beyond its end can leak residual data from previously deleted files.
* **CVE-2026-6684** (4.6, Medium): A malformed **GPT** partition table can hang the device during mounting. This is the only one of the seven fixed upstream, in **FatFs R0.16**.
### The Patching Predicament
A significant challenge arises from the maintenance model of **FatFs**. It is maintained by a single developer, and **runZero** reported repeated unsuccessful attempts to contact the maintainer, even after involving **Japan's JPCERT/CC** coordination center.
Consequently, there is currently no upstream fix for the critical memory-corruption bugs, no dedicated security mailing list, and no clear channel for the numerous products bundling **FatFs** to receive vulnerability information. While the current release addresses the **GPT** hang (**CVE-2026-6684**), the responsibility for patching the remaining flaws falls entirely on downstream vendors.
Affected platforms include **Espressif ESP-IDF**, **STMicroelectronics STM32Cube**, **Zephyr**, **MicroPython**, **ArduPilot**, **RT-Thread**, **Mbed**, **Samsung TizenRT**, and the **SWUpdate** updater. This broad reach extends the problem into consumer **IoT**, industrial equipment, drones, and cryptocurrency wallets.
As of **runZero**'s July 1 disclosure, no in-the-wild attacks leveraging these bugs have been reported. However, exploit material, including proof-of-concept disk images, a test harness, and a working **QEMU**-based exploit example, has been publicly released in a [companion repository](https://github.com/runZeroInc/vulns-2026-fatfs-chance).
### Recommendations for Mitigation
For firmware developers working with **FAT** or **exFAT** media, the advice is clear: identify the **FatFs** copy in your product, meticulously audit the surrounding wrapper code, pay close attention to filename and file size handling, and plan for immediate patching.
Organizations operating affected devices should treat physical ports and update channels as critical attack surfaces. Implement strict controls over who can connect media, and diligently monitor vendors for firmware updates.
### The Role of AI in Vulnerability Discovery
Intriguingly, **runZero**'s re-audit of **FatFs** in March 2026, following an initial manual audit in 2017, utilized an off-the-shelf setup featuring **Visual Studio Code**, **GitHub Copilot** in "auto" mode, and basic prompts. This **LLM**-assisted approach successfully built a fuzzer that uncovered bugs missed by the manual review, confirming their exploitability.
This incident aligns with a growing trend. In late 2024, **Google**'s **Big Sleep** agent discovered an exploitable memory bug in **SQLite** that traditional fuzzing had overlooked. More recently, an autonomous **AI** agent identified 21 memory-safety bugs in **FFmpeg**, another widely embedded C library. **runZero**'s point is stark: if readily available **AI** tools can find these vulnerabilities, so can malicious actors, making quiet disclosure a disservice.
This patching dilemma is not new. **runZero** anticipates that downstream fixes will take years, not days, drawing parallels to **PixieFail**, a 2024 disclosure of nine bugs in **EDK II**'s network-boot code that affected numerous PC and server brands and saw slow vendor patching. **FatFs** presents an even more challenging scenario due to the absence of a responsive upstream maintainer.
Security professionals should closely monitor for any response from the **FatFs** maintainer and, more importantly, how major platform vendors bundling the library react. Until official patches are widely available, it is prudent to assume that many deployed devices are operating with unpatched code when processing untrusted storage media.