7 FatFs Bugs Threaten Embedded Devices via Removable Media

FatFs vulnerabilities in embedded devices triggered by crafted SD card or USB drive

A compact library for managing memory cards and USB drives has become a shared risk point. Researchers at runZero have shown it puts an entire class of embedded devices at risk. Specifically, they disclosed seven vulnerabilities in FatFs, a widely used component in embedded firmware and real-time operating systems.

The flaws range from medium to high severity. In total, they affect ESP-IDF, STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, TizenRT, and SWUpdate.

Why These Bugs Are Dangerous

FatFs parses FAT, exFAT, and GPT partitions. As a result, the bugs trigger when a device mounts a crafted storage medium. They also fire during the processing of a specially prepared firmware update image.

Many embedded devices lack address space randomization and memory protection. On such systems, brief access to an SD card slot or USB port may be enough to seize full control. Cameras, ATMs, industrial controllers, drones, crypto wallets, and other devices with removable storage all fall within the risk zone.

The Seven Vulnerabilities at a Glance

CVE-2026-6682 CVSS 7.6 (High)

It triggers an integer overflow when mounting a FAT32 volume. That overflow can lead to memory corruption and arbitrary code execution.

CVE-2026-6687 CVSS 7.6 (High)

It also scores 7.6 under CVSS 3.1. It allows an attacker to overflow the stack using an excessively long exFAT volume label.

CVE-2026-6688 CVSS 7.6 (High)

It affects programs that copy long filenames into undersized buffers.

CVE-2026-6685 CVSS 6.1 (Medium)

A calculation error during fragmented volume processing can corrupt data or trigger an out-of-bounds memory access.

CVE-2026-6683 CVSS 4.6 (Medium)

It provokes a divide-by-zero error during exFAT write operations. Consequently, the device crashes and any in-progress firmware update may fail.

CVE-2026-6686 CVSS 4.6 (Medium)

It allows an attacker to read residual data from previously deleted files.

CVE-2026-6684 CVSS 4.6 (Medium)

It causes versions prior to FatFs R0.16 to scan a crafted GPT partition for an abnormally long time. That extended scan effectively freezes the device.

Furthermore, the researchers linked CVE-2026-6682 and CVE-2026-6683 to certain over-the-air firmware update mechanisms.

How the Bugs Were Found

RunZero first examined the codebase back in 2017. Manual analysis and automated fuzzing produced no serious findings at that time. However, the team returned to the code in March 2026. Using GitHub Copilot, they built a new analysis tool that surfaced the previously missed bugs. It also helped confirm how each flaw behaves across different deployment scenarios.

Disclosure and Vendor Response

The FatFs developer did not respond to disclosure attempts. Even after JPCERT/CC became involved, no reply arrived.

What Vendors Should Do Now

RunZero advises vendors to audit their own copies of the library and any software wrappers around it. They should also review how their code handles filenames and size calculations. In addition, vendors should prepare patches promptly.

Any deployment running a version older than FatFs R0.16 should upgrade immediately. That version contains the GPT-scanning flaw, which can lock up a system indefinitely.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Crypto QR Code
USDT (TRC20):
TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm
USDT (ERC20):
0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce

Leave a Reply