Seven Unpatched Vulnerabilities Discovered in Widely Used FatFs Filesystem Affecting Millions of Embedded Devices

Published:

spot_img

Seven Unpatched Vulnerabilities Discovered in Widely Used FatFs Filesystem Affecting Millions of Embedded Devices

Security firm runZero has revealed seven vulnerabilities in FatFs, a popular filesystem library that enables devices to read and write FAT and exFAT formats commonly used on USB drives and SD cards. This discovery raises significant concerns, as FatFs is integrated into the firmware of numerous devices, including security cameras, drones, industrial controllers, and hardware crypto wallets, all of which rely on real-time operating systems.

The implications of these vulnerabilities are severe. In the most affected systems, an attacker can exploit a compromised USB drive, SD card, or update file to corrupt the device’s memory and execute arbitrary code. Many embedded systems lack the robust memory protections found in smartphones and desktops, leading runZero to assert that “any physical access leads to a jailbreak.” This vulnerability is particularly alarming for public kiosks, ATMs, and voting machines, which should not grant full control to anyone with brief physical access.

Overview of Vulnerabilities

All seven vulnerabilities function similarly: they arise when a device attempts to read a deliberately malformed storage volume or firmware image, resulting in improper handling of the corrupted data by FatFs. runZero has classified these vulnerabilities with a CVSS score ranging from Medium to High, with no Critical ratings.

The most critical vulnerability is identified as CVE-2026-6682, which has a CVSS score of 7.6. This flaw involves an integer overflow in the code responsible for mounting FAT32 volumes. Erroneous calculations can lead to incorrect file sizes, which are subsequently treated as legitimate read lengths, potentially resulting in memory corruption and code execution on actual hardware.

The following is a list of the vulnerabilities, ranked by severity according to runZero:

  • CVE-2026-6682 (7.6, High): An integer overflow during FAT32 mounting, leading to memory corruption and potential code execution. This vulnerability can be exploited through certain firmware updates, not just physical media.
  • CVE-2026-6687 (7.6, High): An overflow in the exFAT volume-label field that provides an attacker with a foothold for memory corruption.
  • CVE-2026-6688 (7.6, High): Long filenames can overflow the wrapper code surrounding FatFs, complicating fixes within FatFs itself.
  • CVE-2026-6685 (6.1, Medium): A mathematical wrap in cache handling on fragmented volumes that can lead to silent data corruption.
  • CVE-2026-6683 (4.6, Medium): An exFAT divide-by-zero error that can crash devices and potentially brick hardware during an update process.
  • CVE-2026-6686 (4.6, Medium): Files that extend beyond their end can leak residual data from previously deleted files.
  • CVE-2026-6684 (4.6, Medium): A malformed GPT partition table can cause the device to hang during mounting. This is the only vulnerability that has been addressed in the upstream FatFs R0.16.

Challenges in Addressing Vulnerabilities

FatFs is maintained by a single developer, and runZero has reported difficulties in reaching out for a resolution. Despite attempts to involve Japan’s JPCERT/CC coordination center, there has been no response. As a result, there are currently no upstream fixes for the memory-corruption vulnerabilities, and no security mailing list exists to inform affected products.

The current release does mitigate the GPT hang issue, but the remaining vulnerabilities require downstream vendors to implement their own patches. Affected platforms include Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and the SWUpdate updater. This situation pushes the responsibility onto consumer IoT, industrial equipment, drones, and crypto wallets.

As of runZero’s disclosure on July 1, no attacks exploiting these vulnerabilities have been reported. However, proof-of-concept disk images, a test harness, and a working QEMU-based exploit example have been made publicly available, raising concerns about potential future exploitation.

Recommendations for Developers and Users

For developers creating firmware that interacts with FAT or exFAT media, it is crucial to locate the version of FatFs used in their products, audit the surrounding wrapper code, and scrutinize how filenames and file sizes are managed. Planning for patches is essential.

For users operating affected devices, it is advisable to treat physical ports and update channels as potential attack vectors. Limiting who can connect media and monitoring vendor firmware updates can help mitigate risks.

The Broader Context

runZero’s initial audit of FatFs in 2017 yielded minimal findings. However, upon revisiting the code in March 2026, the team utilized an automated setup that included Visual Studio Code and GitHub Copilot. This approach enabled the creation of a fuzzer, which tests code by feeding it malformed data until failures occur, revealing previously unnoticed vulnerabilities.

This trend aligns with a growing pattern in cybersecurity. In late 2024, Google’s Big Sleep agent identified an exploitable memory bug in SQLite that had evaded traditional fuzzing methods. Recently, an autonomous AI agent uncovered 21 memory-safety bugs in FFmpeg, another widely used C library. The implication is clear: if readily available AI tools can identify these vulnerabilities, they pose a significant risk to unprepared systems.

The challenge of patching vulnerabilities is not new. runZero anticipates that fixes from downstream vendors may take years, not days. The precedent set by PixieFail, which involved multiple vulnerabilities in the network-boot code of EDK II, highlights the slow response times of vendors. The situation with FatFs is exacerbated by the absence of a responsive upstream.

Attention should be focused on whether the FatFs maintainer will eventually provide a patch and how major platform vendors will respond. Until then, many devices remain vulnerable, reading untrusted storage with unaddressed code flaws.

Source: thehackernews.com

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.

spot_img

Related articles

Recent articles

Dehradun Police Crack ₹10 Lakh Burglary Case After Suspect Posts Stolen Diamonds on Social Media

Dehradun Police Crack ₹10 Lakh Burglary Case After Suspect Posts Stolen Diamonds on Social Media The Dehradun District Police have made significant strides in resolving...

Chilean President Strengthens Economic Ties with UAE’s Al Zeyoudi Amid Growing Trade Partnership

Chilean President Strengthens Economic Ties with UAE's Al Zeyoudi Amid Growing Trade Partnership In a significant diplomatic engagement, José Antonio Kast, President of Chile, welcomed...

GovTech Innovation Forum & Awards 2026 Advances UAE’s Digital Transformation Through Recognition of Pioneering Leaders

GovTech Innovation Forum & Awards 2026 Advances UAE's Digital Transformation Through Recognition of Pioneering Leaders The GovTech Innovation Forum & Awards 2026, held at The...

In Other News: Canadian Hacker Jailed, 14 Million Affected by KDDI Data Breach, Two Sentenced for ATM Jackpotting

In Other News: Canadian Hacker Jailed, 14 Million Affected by KDDI Data Breach, Two Sentenced for ATM Jackpotting In recent cybersecurity developments, significant incidents have...