Seven Unpatched Vulnerabilities in Widely Used FatFs Filesystem Library Expose Millions of Devices

Millions of IoT and Embedded Devices at Risk from Unpatched Flaws in FatFs Library

HIGH
July 4, 2026
6m read
VulnerabilityIoT SecurityIndustrial Control Systems

Related Entities

Organizations

Products & Tech

FatFsZephyr RTOSMicroPythonGitHub Copilot

CVE Identifiers

CVE-2026-6682
HIGH
CVSS:7.6
CVE-2026-6687
HIGH
CVSS:7.6
CVE-2026-6688
HIGH
CVSS:7.6
CVE-2026-6685
MEDIUM
CVSS:6.1
CVE-2026-6683
MEDIUM
CVSS:4.6
CVE-2026-6686
MEDIUM
CVSS:4.6
CVE-2026-6684
MEDIUM
CVSS:4.6

Full Report

Executive Summary

Security research firm runZero has disclosed seven vulnerabilities in FatFs, a popular open-source filesystem library used in millions of embedded devices worldwide. The flaws, tracked as CVE-2026-6682 through CVE-2026-6688, can allow an attacker with physical access to a device to cause memory corruption, denial of service, and potentially achieve arbitrary code execution by inserting a malicious storage medium (e.g., SD card, USB drive). The library is a core component in SDKs from major vendors like Espressif and STMicroelectronics, as well as RTOS projects like Zephyr and MicroPython. Critically, six of the seven vulnerabilities, including the most severe ones, remain unpatched in the upstream project due to an unresponsive maintainer, creating a significant and widespread supply chain risk.

Vulnerability Details

The vulnerabilities are triggered when the FatFs library attempts to parse a maliciously crafted FAT or exFAT filesystem. An attacker with physical access can introduce such a filesystem via removable media.

  • CVE-2026-6682 (CVSS 7.6, High): An integer overflow in the FAT32 volume mounting code can cause the library to miscalculate the file size, leading to a heap-based buffer overflow and potential remote code execution.
  • CVE-2026-6687 (CVSS 7.6, High): A stack-based buffer overflow when handling exFAT volume labels can be exploited for memory corruption.
  • CVE-2026-6688 (CVSS 7.6, High): A stack-based buffer overflow when processing long filenames in exFAT can also lead to memory corruption and potential code execution.
  • CVE-2026-6685 (CVSS 6.1, Medium): A mathematical error can result in silent data corruption when writing to files.
  • CVE-2026-6683 (CVSS 4.6, Medium): A divide-by-zero error can cause the device to crash or become permanently unresponsive (bricked).
  • CVE-2026-6686 (CVSS 4.6, Medium): A flaw can lead to data leakage from previously deleted files.
  • CVE-2026-6684 (CVSS 4.6, Medium): An issue with malformed GPT partition tables. This is the only flaw that has been incidentally fixed in the latest version (R0.16).

Affected Systems

The FatFs library is ubiquitous in the embedded world. Any device that uses the library to interact with FAT/exFAT filesystems is potentially vulnerable. This includes a vast range of products:

  • IoT Devices: Security cameras, smart home hubs.
  • Industrial Control Systems (ICS): Drones, industrial controllers.
  • Consumer Electronics: Digital cameras, printers.
  • Hardware Crypto Wallets.
  • Development Platforms: Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, Samsung TizenRT.

Exploitation Status

runZero has released proof-of-concept disk images to demonstrate the vulnerabilities. There is no evidence of in-the-wild exploitation yet. However, the lack of an upstream patch for the most critical flaws and the public disclosure of technical details significantly increase the risk. The responsibility now falls on the numerous downstream vendors to identify their use of the library and develop and distribute patches.

Impact Assessment

A successful exploit of the RCE vulnerabilities could allow an attacker to achieve a full "jailbreak" of a device. This would enable them to bypass all security controls, steal sensitive data stored on the device (e.g., private keys from a crypto wallet, Wi-Fi credentials), install persistent malware, or use the device as a pivot point to attack the broader network. For critical infrastructure or industrial devices, a compromise could lead to operational disruption or physical damage. The denial-of-service flaws can render devices permanently inoperable, requiring physical replacement.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type
Log Source
Value
Device kernel logs or system logs
Description
Monitor for crash dumps, memory corruption errors, or divide-by-zero exceptions that occur immediately after mounting a removable storage device.
Type
File System
Value
Anomalous FAT/exFAT structure
Description
Scanning removable media for unusually long filenames or volume labels before mounting could indicate an attempt to exploit these flaws.
Type
Process Name
Value
Firmware processes that handle file I/O
Description
Monitor these processes for unexpected crashes or hangs.
Type
Event ID
Value
Device connection events
Description
Correlate device crashes with the insertion of a USB drive or SD card.

Detection Methods

  • Firmware Analysis: Use binary analysis tools to scan device firmware images for the presence of the vulnerable FatFs library functions. This is a key part of D3FEND's System File Analysis (D3-SFA).
  • Software Bill of Materials (SBOM): Organizations should demand and review SBOMs from their device suppliers to determine if FatFs is a component in their products.
  • Physical Security Monitoring: While indirect, monitoring physical access to sensitive devices can help correlate potential tampering (e.g., inserting a USB drive) with device malfunctions.

Remediation Steps

  1. Vendor Patches: The primary remediation is to apply firmware updates from device manufacturers as they become available. End-users should actively check for updates for their devices.
  2. Downstream Patching: Device manufacturers and projects using FatFs must urgently identify their use of the library, port the fixes suggested by runZero (if possible), and release patched firmware.
  3. Physical Access Control: Restrict physical access to embedded devices to prevent the insertion of malicious removable media. This is a fundamental operational security control.
  4. Input Sanitization: As a temporary mitigation, if possible, configure devices to reject or sanitize removable media with characteristics known to trigger the bugs, such as overly long volume labels or filenames.

Timeline of Events

1
July 4, 2026
This article was published

MITRE ATT&CK Mitigations

Applying firmware updates from device vendors is the primary way to remediate these vulnerabilities.

The root cause is a lack of proper input validation. Patches will involve adding checks to ensure filesystem metadata is within expected bounds.

Restricting the use of removable media (USB, SD cards) on critical devices can prevent the introduction of a malicious filesystem.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

FatFsVulnerabilityUnpatchedIoTEmbedded SystemsSupply ChainrunZeroRCEMemory Corruption

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.