Executive Summary
Seven unpatched vulnerabilities have been disclosed in the FatFs filesystem library, a component bundled into the firmware of millions of embedded devices worldwide. These flaws, discovered and published by security firm runZero, affect devices ranging from security cameras and drones to industrial controllers and hardware crypto wallets. The vulnerabilities allow attackers with physical access (via USB, SD card, or firmware update file) to achieve memory corruption, data leakage, denial of service, or even arbitrary code execution on affected devices.
Technical Details
Vulnerability Overview
FatFs is a lightweight filesystem library enabling FAT and exFAT support on embedded systems. The vulnerabilities arise from improper handling of malformed storage volumes or firmware images, leading to memory safety issues.
Disclosed CVEs:
CVE | CVSS | Description
|
CVE-2026-6682 | 7.6 | FAT32 mount integer overflow; memory corruption and possible code execution. |
CVE-2026-6687 | 7.6 | exFAT volume-label buffer overflow; memory corruption foothold. |
CVE-2026-6688 | 7.6 | Long filenames overflow wrapper code (e.g., strcpy of fno.fname); hard to fix in FatFs alone. |
CVE-2026-6685 | 6.1 | Math wrap in cache handling on fragmented volumes; silent data corruption. |
CVE-2026-6683 | 4.6 | exFAT divide-by-zero; device crash or bricking via update flow. |
CVE-2026-6686 | 4.6 | File extended past end leaks leftover data from deleted files. |
CVE-2026-6684 | 4.6 | Malformed GPT partition table hangs device during mount (fixed in FatFs R0.16). |
References: - The Hacker News: Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices - runZero Disclosure - runZero PoC and technical details - NVD CVE-2026-6683
Complete List of Affected Product Versions
FatFs Library
- All versions up to and including R0.16
- NVD CPE reference:
- cpe:2.3:a:elm-chan:fatfs:*:*:*:*:*:*:*:* versions up to (including) r0.16
Major Downstream Platforms (using affected FatFs versions)
The following platforms are confirmed to bundle FatFs R0.16 or earlier, and are therefore affected unless they have independently patched or updated their FatFs integration:
- Espressif ESP-IDF (all versions bundling FatFs ≤ R0.16)
- STMicroelectronics STM32Cube middleware (all versions bundling FatFs ≤ R0.16)
- Zephyr RTOS (all versions bundling FatFs ≤ R0.16)
- MicroPython (all versions bundling FatFs ≤ R0.16)
- ArduPilot (all versions bundling FatFs ≤ R0.16)
- RT-Thread (all versions bundling FatFs ≤ R0.16)
- Mbed (all versions bundling FatFs ≤ R0.16)
- Samsung TizenRT (all versions bundling FatFs ≤ R0.16)
- SWUpdate (all versions bundling FatFs ≤ R0.16)
Note: - The exact downstream product version numbers depend on the integration date and whether the vendor has backported fixes. If your device or firmware uses FatFs R0.16 or earlier, it is affected unless specifically patched. - runZero blog and NVD confirm that "all FatFs filesystem drivers ever released are vulnerable and no patches are available" except for the GPT DoS (CVE-2026-6684) fixed in R0.16.
Exploitation Details
- Attack Vector: Physical access (USB, SD card, or firmware update file). In some cases, remote exploitation is possible via malicious firmware updates.
- Impact: Memory corruption, arbitrary code execution, data leakage, device bricking, and denial of service.
- Proof-of-Concept: Publicly available disk images and test harnesses have been released by runZero (GitHub PoC).
- Exploitation in the Wild: As of July 1, 2026, no active exploitation has been reported. However, the public availability of PoC material increases the risk of future attacks.
Indicators of Compromise (IOCs)
- Unusual device crashes or reboots after inserting removable media.
- Unexpected firmware behavior following updates.
- Memory corruption or data leakage events logged by device monitoring tools.
- Detection of known PoC disk images or malformed FAT/exFAT volumes.
Threat Actor and TTPs
- MITRE ATT&CK Techniques:
- T1200: Hardware Additions (removable media as attack vector)
- T1543: Create or Modify System Process (via code execution on device)
- T1499: Endpoint Denial of Service (device bricking/crash)
- APT Groups: No specific APT group attribution as of this report. However, physical access vectors are commonly exploited by both criminal and nation-state actors targeting critical infrastructure and IoT.
Mitigation Strategies
- Vendor Response: Only CVE-2026-6684 (GPT hang) is fixed upstream (FatFs R0.16). All other vulnerabilities remain unpatched at the library level.
- Downstream Patching: Device manufacturers must audit and patch their own FatFs integrations, especially wrapper code handling filenames and file sizes.
- Operational Controls: Restrict physical access to devices, monitor for unauthorized firmware updates, and disable unused USB/SD ports where possible.
- Monitoring: Watch for vendor advisories and firmware updates addressing these vulnerabilities.
References
- The Hacker News: Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
- runZero Blog: FatFs Vulnerabilities
- runZero PoC and technical details
- NVD - National Vulnerability Database
- ReconShield: Multiple FatFs Vulnerabilities Impact Embedded Devices Worldwide
- Reddit: Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
Conclusion
The FatFs vulnerabilities represent a significant supply chain risk for embedded devices globally. With no upstream fixes for most issues and public PoC exploits available, organizations must proactively audit and secure their devices. Monitor for vendor advisories, restrict physical access, and prioritize patching of affected systems.
For further assistance or a tailored risk assessment, contact Rescana’s Cybersecurity Team.



