Unpatched FatFs Flaws Expose Millions of Embedded Devices
What happened
Security firm runZero disclosed seven vulnerabilities in FatFs, a small filesystem library used by embedded devices to read and write FAT and exFAT formats on USB drives and SD cards. The flaws matter because FatFs is bundled into firmware across many device categories, including security cameras, drones, industrial controllers, hardware crypto wallets, and other systems built on real-time operating systems.
The most serious issues can allow an attacker to use a malformed USB drive, SD card, or firmware update file to trigger memory corruption and potentially execute code on affected devices. runZero said the bugs are especially concerning because many embedded systems lack the memory protections found on phones and desktops. The vulnerabilities are rated Medium to High severity, with the highest-rated issues tracked as CVE-2026-6682, CVE-2026-6687, and CVE-2026-6688.
The affected ecosystem is broad because FatFs is included in platforms and projects such as Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and SWUpdate. runZero said only one of the seven issues, a malformed GPT partition table bug tracked as CVE-2026-6684, has been fixed upstream in FatFs R0.16. The remaining memory-corruption issues currently fall to downstream vendors to patch on their own.
runZero said it repeatedly tried to contact the FatFs maintainer and also involved Japan’s JPCERT/CC coordination center, but did not receive a response. As of the disclosure, no attacks using the vulnerabilities had been reported, but runZero has published proof-of-concept disk images, a test harness, and a QEMU-based exploit example, making the findings publicly available to defenders and attackers alike.
Who is affected
Vendors that build firmware using FatFs are directly affected, especially those whose devices read untrusted USB drives, SD cards, firmware images, or removable storage media.
Organizations using embedded systems may also be affected, including those operating security cameras, industrial equipment, kiosks, drones, ATMs, hardware wallets, or other devices with physical media slots or update mechanisms that rely on FAT or exFAT parsing.
The risk is highest for devices that are physically accessible, deployed in public or semi-public environments, or updated through removable media. In those cases, brief access to a USB port or SD card slot may be enough to trigger exploitation on vulnerable systems.
Why CISOs should care
This issue highlights the hidden risk of third-party firmware components. FatFs is a small library, but it sits deep inside many embedded products and can become a shared exposure across entire device classes.
For CISOs, the physical-access angle matters. Devices such as kiosks, cameras, ATMs, controllers, and other field-deployed systems may be treated as low-maintenance assets, but removable media and update paths can become attack surfaces.
The patching challenge is also significant. With no upstream fix for most of the disclosed flaws, organizations may have to wait for downstream platform vendors and device manufacturers to identify affected builds, produce fixes, and ship firmware updates.
The disclosure also shows how AI-assisted vulnerability research is changing the pace of bug discovery. runZero said it used an off-the-shelf setup with Visual Studio Code, GitHub Copilot, and simple prompts to build a fuzzer that found bugs missed by earlier manual review.
3 practical actions
Inventory embedded devices that read removable media: CISOs should identify products that use USB drives, SD cards, firmware images, or FAT and exFAT parsing, especially devices deployed in public, industrial, or operational environments.
Ask vendors whether they bundle FatFs: Because FatFs is included across many downstream platforms, security teams should request vendor confirmation on exposure, affected firmware versions, available mitigations, and patch timelines.
Restrict physical and update-channel access: Until fixes are available, organizations should limit who can insert removable media, disable unnecessary USB or SD access where possible, monitor update workflows, and watch for vendor firmware updates addressing FatFs-related flaws.
Also on the news today:


