Security firm runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library that enables devices to read and write FAT and exFAT formats commonly used on USB drives and SD cards. These vulnerabilities are significant due to the extensive use of FatFs in various devices, including security cameras, drones, industrial controllers, and hardware crypto wallets.
Details of the Vulnerabilities
The vulnerabilities allow an attacker to exploit a device by introducing a malicious USB drive, SD card, or firmware update. This could lead to memory corruption and unauthorized code execution. runZero notes that many embedded devices lack the memory protections found in more robust systems, making them particularly vulnerable. The firm emphasized that “any physical access leads to a jailbreak,” which is alarming for devices like public kiosks, ATMs, and voting machines.
Severity Ratings and Specific CVEs
runZero has rated the vulnerabilities with a CVSS score ranging from Medium to High, with no Critical ratings. The most severe vulnerability is identified as CVE-2026-6682, which has a CVSS score of 7.6 and involves an integer overflow in the FAT32 volume mounting code. This flaw can lead to memory corruption and potential code execution. Other notable CVEs include:
- CVE-2026-6687 (7.6, High): Buffer overflow in exFAT volume-label field.
- CVE-2026-6688 (7.6, High): Long filenames causing buffer overflows.
- CVE-2026-6685 (6.1, Medium): Cache handling issues that may corrupt data.
- CVE-2026-6683 (4.6, Medium): Divide-by-zero error that can crash devices.
- CVE-2026-6686 (4.6, Medium): Potential data leakage from deleted files.
- CVE-2026-6684 (4.6, Medium): Malformed partition tables causing device hangs.
Challenges in Patching
runZero has highlighted the difficulty in addressing these vulnerabilities, as FatFs is maintained by a single developer with limited communication. Despite attempts to contact the maintainer and involve Japan’s JPCERT/CC, there has been no response. Currently, only the issue related to CVE-2026-6684 has been addressed in the upstream release of FatFs R0.16. The remaining vulnerabilities will require action from downstream vendors, which could take considerable time.
Current Status and Recommendations
As of the latest disclosure on July 1, 2026, no attacks exploiting these vulnerabilities have been reported. However, runZero has released proof-of-concept materials, including disk images and a test harness, which could facilitate future exploitation. For manufacturers using FatFs, it is advised to audit their implementations, particularly regarding how they handle filenames and file sizes, and to monitor for vendor firmware updates to mitigate potential risks.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.








