Security Firm runZero Discloses Seven Vulnerabilities in FatFs Filesystem Library
Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library widely used to read and write FAT and exFAT formats on USB drives and SD cards. The flaws are significant because FatFs is integrated into the firmware of numerous devices, including security cameras, drones, industrial controllers, hardware crypto wallets, and other systems built on real-time operating systems.
Potential Impact of the Vulnerabilities
On affected systems, an attacker could exploit these flaws by inserting a maliciously crafted USB drive, SD card, or update file. This could lead to memory corruption and the execution of arbitrary code. Many embedded devices lack the memory protections found in phones and desktops, making them particularly vulnerable. According to runZero, 'any physical access leads to a jailbreak,' highlighting the severity of the issue.
All seven vulnerabilities share a common exploitation mechanism: the device attempts to read a malformed storage volume or firmware image, and FatFs mishandles the corrupted data. The vulnerabilities are rated as Medium to High on the CVSS scale, with no Critical-level issues identified.
Key Vulnerabilities Disclosed
- CVE-2026-6682 (CVSS 7.6, High): An integer overflow in the FAT32 mounting code can lead to memory corruption and possible code execution. This bug can be triggered through firmware updates, not just physical media.
- CVE-2026-6687 (CVSS 7.6, High): An overflow in the exFAT volume-label field can cause memory corruption.
- CVE-2026-6688 (CVSS 7.6, High): Long filenames can overflow wrapper code around FatFs, leading to memory corruption.
- CVE-2026-6685 (CVSS 6.1, Medium): A math wrap in cache handling on fragmented volumes can silently corrupt data.
- CVE-2026-6683 (CVSS 4.6, Medium): An exFAT divide-by-zero flaw can crash the device or brick hardware during updates.
- CVE-2026-6686 (CVSS 4.6, Medium): A file extended past its end can leak data from previously deleted files.
- CVE-2026-6684 (CVSS 4.6, Medium): A malformed GPT partition table can hang the device during mount. This is the only vulnerability fixed upstream in FatFs R0.16.
Challenges in Patching the Flaws
FatFs is maintained by a single developer, and runZero's attempts to contact the maintainer, including through Japan's JPCERT/CC, have been unsuccessful. As a result, there is no upstream fix for the memory-corruption bugs, and downstream vendors must patch the issues independently. This process is expected to take years, leaving millions of devices vulnerable in the meantime.
Affected platforms include Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate. These platforms are used in consumer IoT devices, industrial equipment, drones, and crypto wallets, highlighting the widespread impact of the vulnerabilities.
Recommendations for Device Manufacturers and Users
- Firmware Developers: Audit the wrapper code around FatFs, carefully handle filenames and file sizes, and plan to patch affected systems.
- Device Users: Treat physical ports and update channels as potential attack surfaces. Limit access to media inputs and monitor for vendor firmware updates.
The Role of AI in Discovering Vulnerabilities
runZero's discovery of these vulnerabilities was aided by AI tools, including Visual Studio Code and GitHub Copilot. The team used an AI-built fuzzer to identify bugs that a manual audit had missed. This aligns with a growing trend in cybersecurity, where AI is increasingly used to uncover exploitable flaws in widely used software.
Conclusion
The disclosure of these vulnerabilities underscores the urgent need for improved security in embedded systems. With no immediate upstream fix available, the onus falls on downstream vendors to address the flaws. Users and manufacturers must remain vigilant to protect against potential attacks exploiting these vulnerabilities.