Security firm runZero has disclosed seven vulnerabilities in FatFs, a widely used lightweight filesystem library that supports FAT and exFAT formats on USB drives and SD cards and is embedded across a vast range of devices. The vulnerabilities are significant because FatFs is integrated into firmware used in security cameras, drones, industrial controllers, hardware crypto wallets, and numerous systems built on real time operating systems. According to researchers, the flaws create a pathway where an attacker with physical access or a malicious storage device can trigger memory corruption and potentially execute code on affected systems, particularly in environments lacking modern memory protection mechanisms commonly found in desktops and mobile devices.
runZero explained that all seven vulnerabilities originate from the way FatFs handles malformed or specially crafted storage volumes and firmware images. When a device attempts to read compromised FAT32 or exFAT structures, the library fails to properly process the corrupted input, resulting in unsafe memory operations. The most severe issue, tracked as CVE-2026-6682 with a CVSS score of 7.6, is an integer overflow during FAT32 volume mounting that can produce incorrect file size calculations. These incorrect values are later used in memory operations, leading to corruption and possible code execution. Additional high severity issues include CVE-2026-6687, an exFAT volume label buffer overflow, and CVE-2026-6688, where long filenames overflow wrapper implementations around FatFs. Other vulnerabilities include CVE-2026-6685 affecting cache handling on fragmented volumes, CVE-2026-6683 which can cause a divide by zero condition leading to crashes or potential device bricking during firmware updates, CVE-2026-6686 which may leak residual deleted file data, and CVE-2026-6684 which involves malformed GPT partition tables that can hang devices during mounting operations.
Security researchers highlighted that embedded systems are particularly exposed because many lack the memory protections that exist in consumer operating systems. In some cases, physical access alone can lead to full device compromise, a scenario described by runZero as “any physical access leads to a jailbreak.” Devices such as public kiosks, ATMs, cameras with SD card slots, and voting machines with USB ports can become vulnerable if they process malicious storage media or firmware updates. The vulnerabilities span CVSS ratings from medium to high severity, with no critical ratings assigned, but researchers emphasized that the real risk lies in how widely FatFs is deployed and how deeply it is embedded in critical firmware across industries.
The disclosure also highlights a significant challenge in vulnerability management due to the upstream maintenance model of FatFs. runZero reported difficulties in contacting the maintainer and involvement of Japan’s JPCERT CC coordination center without response, leaving no centralized security channel for disclosure or patch coordination. While FatFs R0.16 includes a fix for the GPT related issue, the remaining memory corruption vulnerabilities require downstream vendors to implement their own patches across affected platforms, including Espressif ESP IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT Thread, Mbed, Samsung TizenRT, and SWUpdate. Researchers also confirmed that no active exploitation has been observed so far, although proof of concept exploit tools, disk images, and QEMU based examples have already been published, increasing the potential risk surface.
The report further notes that AI assisted vulnerability discovery played a role in identifying these issues, with researchers using tools including Copilot in auto mode to help build fuzzing frameworks that uncovered previously undetected flaws. This follows a broader trend where automated or AI driven systems have identified complex memory safety bugs in widely used software such as SQLite and FFmpeg. runZero warned that because such vulnerabilities can now be discovered using accessible tooling, the likelihood of future exposure increases unless vendors proactively audit and secure embedded libraries. The findings reinforce the need for firmware developers and device manufacturers to audit their use of FatFs, examine wrapper implementations around filename and file size handling, and treat physical ports and update mechanisms as potential attack surfaces while awaiting vendor level remediation.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.





