News·3 min read

Seven FatFs Vulnerabilities Exposing Embedded Devices to Code Execution

Seven newly disclosed vulnerabilities in FatFs, the ubiquitous FAT/exFAT filesystem library, could let a malicious USB drive, SD card, or firmware update trigger memory corruption and code execution o

CS
CyberShield Team
2026-07-06
Share:
Seven FatFs Vulnerabilities Exposing Embedded Devices to Code Execution

Seven newly disclosed vulnerabilities in FatFs, the ubiquitous FAT/exFAT filesystem library, could let a malicious USB drive, SD card, or firmware update trigger memory corruption and code execution on embedded devices worldwide. runZero published the findings on July 1, 2026, tracked as CVE-2026-6682 through CVE-2026-6688, with CVSS scores ranging from 4.6 (Medium) to 7.6 (High) […] The post Seven FatFs Vulnerabilities Exposing Embedded Devices to Code Execution appeared first on Cyber Security News.

Seven newly disclosed vulnerabilities in FatFs, the ubiquitous FAT/exFAT filesystem library, could let a malicious USB drive, SD card, or firmware update trigger memory corruption and code execution on embedded devices worldwide. runZero published the findings on July 1, 2026, tracked as CVE-2026-6682 through CVE-2026-6688, with CVSS scores ranging from 4.6 (Medium) to 7.6 (High) and no critical-rated issues. FatFs powers storage handling in major platforms including Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate. Seven FatFs Vulnerabilities That footprint extends into consumer IoT devices, industrial controllers, drones, and cryptocurrency wallets. The research revisits a 2017 manual audit and fuzzing effort that turned up only minor issues. In March 2026, HD Moore of runZero re-approached the codebase using GitHub Copilot in “auto” mode to automatically generate fuzzing tools, without custom harnesses or loops, surfacing bugs the manual audit had missed. CVE-2026-6682 (CVSS 7.6): Integer overflow in mount_volume() where fasize *= fs->n_fats can wrap, producing attacker-controlled file-size metadata that downstream code may trust as a read length, leading to memory corruption and possible code execution. Reachable through some firmware updates, not just physical media. CVE-2026-6687 (CVSS 7.6): Stack overflow in f_getlabel() because the exFAT label length field (XDIR_NumLabel) is not adequately capped, giving attackers a clean foothold for memory corruption. CVE-2026-6688 (CVSS 7.6): Long filename overflow affecting downstream callers, where LFN-enabled fno.fname values overflow fixed-size buffers via patterns like strcpyhard to fix within FatFs alone, since it depends on wrapper code. CVE-2026-6685 (CVSS 6.1): Unsigned subtraction wrap-around in dirty-cache handling on fragmented volumes, risking silent data corruption in read/write paths. CVE-2026-6683 (CVSS 4.6): Divide-by-zero in exFAT sync/write logic when crafted metadata causes n_fatent - 2 to equal zero, creating a bricking risk in update flows. CVE-2026-6686 (CVSS 4.6): Uninitialized cluster exposure when a file is extended past EOF, leaking stale data from previously deleted content. CVE-2026-6684 (CVSS 4.6): GPT partition-scan loop causing mount-time denial-of-service in pre-R0.16 implementations; the only one of the seven fixed upstream in FatFs R0.16. Because FatFs lacks ASLR and memory protections typical in embedded contexts, physical access via USB or SD card, or a booby-trapped firmware update, can corrupt device memory and potentially run attacker code. All released FatFs versions remain affected except for the GPT DoS fix in R0.16, and as of the disclosure date, no active exploitation had been reported. runZero made repeated attempts to contact the FatFs maintainer and involved JPCERT/CC, but received no coordinated response, leaving no upstream fix path for the memory-corruption bugs. The team published proof-of-concept disk images, a test harness, and a working QEMU-based exploit example in a companion GitHub repository, urging downstream implementers to audit vendored FatFs versions and wrapper code for filename and file-size handling. Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google. The post Seven FatFs Vulnerabilities Exposing Embedded Devices to Code Execution appeared first on Cyber Security News.

Share:

Join the Discussion

Comments coming soon. Follow us on social media for real-time discussions.