Search This Blog

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

runZero Uncovers Seven FatFs Vulnerabilities That Could Expose Millions of Embedded Devices to Code Execution

runZero noted that many embedded devices do not implement the memory protection mechanisms commonly found in smartphones.

 

Security firm runZero has revealed seven security vulnerabilities in FatFs, a lightweight filesystem library widely used by embedded devices to read and write FAT and exFAT storage formats found on USB drives and SD cards.

The vulnerabilities are considered significant because FatFs is integrated into the firmware powering a broad range of products, including security cameras, drones, industrial control systems, hardware cryptocurrency wallets, and devices running real-time operating systems (RTOS).

According to the researchers, attackers could exploit the flaws by introducing a specially crafted USB drive, SD card, or malicious firmware update file to vulnerable devices. On severely affected systems, successful exploitation could lead to memory corruption and arbitrary code execution.

runZero noted that many embedded devices do not implement the memory protection mechanisms commonly found in smartphones and desktop operating systems. As a result, "any physical access leads to a jailbreak." The researchers warned that devices such as public kiosks, security cameras with SD card slots, ATMs, and voting machines equipped with USB ports could potentially be compromised with only brief physical access.

The seven vulnerabilities stem from a similar root cause. When FatFs processes intentionally malformed storage media or firmware images, it improperly handles invalid data, creating opportunities for crashes, memory corruption, or data leakage. The vulnerabilities have received CVSS ratings ranging from Medium to High, with none classified as Critical.

The most severe issue, tracked as CVE-2026-6682 (CVSS 7.6), is an integer overflow affecting FAT32 volume mounting. Incorrect calculations can generate an inaccurate file size, which is later interpreted as a legitimate read length, potentially resulting in memory corruption and remote code execution.

The complete list of disclosed vulnerabilities includes:

  • CVE-2026-6682 (CVSS 7.6 – High): Integer overflow during FAT32 volume mounting that can cause memory corruption and possible code execution. The flaw may also be exploited through certain firmware update mechanisms.
  • CVE-2026-6687 (CVSS 7.6 – High): A buffer overflow involving an exFAT volume-label field that enables memory corruption.
  • CVE-2026-6688 (CVSS 7.6 – High): Long filenames can overflow wrapper code commonly implemented around FatFs, making mitigation dependent on downstream developers rather than the library itself.
  • CVE-2026-6685 (CVSS 6.1 – Medium): Integer wraparound in cache handling for fragmented volumes that may silently corrupt stored data.
  • CVE-2026-6683 (CVSS 4.6 – Medium): Divide-by-zero vulnerability in exFAT handling that can crash devices and potentially render hardware unusable during firmware updates.
  • CVE-2026-6686 (CVSS 4.6 – Medium): Improper file extension handling that may expose residual data from previously deleted files.
  • CVE-2026-6684 (CVSS 4.6 – Medium): A malformed GPT partition table can cause devices to hang while mounting storage media. This is currently the only vulnerability addressed upstream in FatFs version R0.16.

runZero also highlighted challenges surrounding coordinated disclosure. The company said it repeatedly attempted to contact the FatFs maintainer and involved Japan's JPCERT/CC coordination center but did not receive a response.

As a result, the researchers stated that there are currently no upstream patches for the memory corruption vulnerabilities, no dedicated security advisory process, and no centralized mechanism for notifying the numerous vendors that bundle FatFs into their products. While upgrading to FatFs R0.16 mitigates the GPT partition issue, the remaining vulnerabilities require downstream vendors to develop and distribute their own fixes.

The vulnerabilities affect multiple software platforms and frameworks that incorporate FatFs, including Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and the SWUpdate firmware updater. This broad adoption extends the potential impact across consumer IoT devices, industrial equipment, drones, and cryptocurrency hardware wallets.

As of runZero's public disclosure on July 1, no known attacks exploiting these vulnerabilities had been reported. However, the researchers have released proof-of-concept disk images, a testing framework, and a functional QEMU-based exploit demonstration, making technical details publicly available.

For firmware developers, runZero recommends identifying any bundled FatFs implementations, reviewing wrapper code for unsafe filename and file-size handling, and preparing vendor-specific patches. Organizations operating affected devices are advised to treat USB ports, SD card slots, and firmware update channels as potential attack vectors by restricting physical access and applying firmware updates as they become available.

AI-assisted vulnerability research speeds up discovery

runZero revealed that it initially reviewed FatFs manually in 2017 but found few noteworthy issues. During a renewed assessment in March 2026, the researchers employed an AI-assisted workflow using Visual Studio Code, GitHub Copilot running in "auto" mode, and a series of simple prompts.

The AI-generated workflow created a fuzzer capable of feeding malformed inputs into the filesystem library, uncovering vulnerabilities that had been missed during the earlier manual review while also helping validate their exploitability.

The researchers compared this trend to other recent AI-assisted security discoveries, including Google's Big Sleep identifying an exploitable memory flaw in SQLite during late 2024 and an autonomous AI agent discovering 21 memory-safety vulnerabilities in FFmpeg last month.

runZero argued that the increasing accessibility of AI-powered security research means attackers can leverage similar techniques, making timely vulnerability disclosure and remediation increasingly important.

The company also warned that patch deployment across the embedded ecosystem is likely to take years rather than months. It cited the 2024 PixieFail vulnerabilities affecting EDK II firmware as an example of slow downstream remediation and suggested that FatFs faces an even greater challenge due to the absence of an active upstream security response.

Until upstream fixes become available and platform vendors release security updates, organizations should assume that many deployed embedded devices continue to process untrusted FAT and exFAT media using vulnerable code.

Share it:

embedded device security

exFAT security flaw

FAT32 vulnerability

FatFs vulnerabilities

runZero security

Vulnerabilities and Exploits