
Safety agency runZero has disclosed seven vulnerabilities in FatFs, a small filesystem library that lets a tool learn and write the FAT and exFAT codecs used on USB drives and SD playing cards.
The issues matter as a result of FatFs is almost in every single place. It ships contained in the firmware that runs safety cameras, drones, industrial controllers, {hardware} crypto wallets, and different units constructed on real-time working techniques.
On the worst-affected techniques, an attacker who will get a booby-trapped USB drive, SD card, or replace file onto a tool can corrupt its reminiscence and run their very own code.
Many embedded units lack the reminiscence protections discovered on telephones and desktops, which is why runZero says “any bodily entry results in a jailbreak.” A public kiosk, a digicam with an SD slot, an ATM, or a voting machine with a USB port mustn’t hand over full management after a second of bodily entry, however right here it may possibly.
All seven bugs work the identical fundamental means. The machine tries to learn a storage quantity or firmware picture that has been intentionally malformed, and FatFs mishandles the unhealthy knowledge. runZero rated the set CVSS Medium to Excessive, with no Criticals.
The headline bug is CVE-2026-6682 (CVSS 7.6), an integer overflow within the code that mounts a FAT32 quantity. Unhealthy math can produce a false file dimension, which later code treats as an actual learn size. On actual {hardware}, that may develop into reminiscence corruption and code execution.
Listed below are all seven, worst first by runZero’s rating:
- CVE-2026-6682 (7.6, Excessive): FAT32 mount integer overflow resulting in reminiscence corruption and attainable code execution. Reachable by means of some firmware updates, not simply bodily media.
- CVE-2026-6687 (7.6, Excessive): an exFAT volume-label area overflows a small buffer, giving an attacker a clear memory-corruption foothold.
- CVE-2026-6688 (7.6, Excessive): lengthy filenames overflow the wrapper code many initiatives put round FatFs, corresponding to a strcpy of fno.fname into a hard and fast buffer. Arduous to repair inside FatFs alone.
- CVE-2026-6685 (6.1, Medium): a math wrap in cache dealing with on fragmented volumes that may silently corrupt knowledge.
- CVE-2026-6683 (4.6, Medium): an exFAT divide-by-zero that crashes the machine. In an replace circulation, it may possibly brick {hardware}. Additionally reachable by means of some firmware updates.
- CVE-2026-6686 (4.6, Medium): a file prolonged previous its finish can leak leftover knowledge from beforehand deleted recordsdata.
- CVE-2026-6684 (4.6, Medium): a malformed GPT partition desk (the disk’s map) can hold the machine throughout mount. It’s the solely one of many seven fastened upstream, in FatFs R0.16.
Right here is the laborious half. FatFs is maintained by one developer in a small nook of the web, and runZero says it tried repeatedly to achieve the maintainer and looped in Japan’s JPCERT/CC coordination middle, with no response.
By runZero’s account, there is no such thing as a upstream repair for the memory-corruption bugs, no safety mailing listing, and no means for the numerous merchandise that bundle FatFs to be taught they’re affected. Updating helps with the GPT hold, for the reason that present launch blocks it, however the remainder fall to downstream distributors to patch on their very own.
runZero names affected platforms, together with Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT, and the SWUpdate updater. That pushes the issue downstream into client IoT, industrial gear, drones, and crypto wallets.
As of runZero’s July 1 disclosure, no assaults utilizing these bugs had been reported, and none have surfaced since. However the exploit materials is already public: runZero shipped proof-of-concept disk photos, a check harness, and a working QEMU-based exploit instance in a companion repository.
In case you construct firmware that touches FAT or exFAT media, the recommendation is direct. Discover the copy of FatFs in your product, audit the wrapper code round it, look laborious at the way you deal with filenames and file sizes, and plan to patch.
In case you run affected units, deal with bodily ports and replace channels as an assault floor: restrict who can plug in media, and look ahead to vendor firmware updates.
Why this retains taking place
runZero first audited FatFs by hand in 2017 and located little price reporting. Returning in March 2026, the staff pointed an off-the-shelf setup on the identical code: Visible Studio Code, GitHub Copilot in “auto” mode, and some plain prompts.
The LLM constructed a fuzzer, a device that feeds malformed knowledge into code till one thing breaks. That surfaced bugs the guide audit had missed and helped affirm they had been exploitable.
That matches a rising sample. In late 2024, Google’s Massive Sleep agent discovered an actual, exploitable reminiscence bug in SQLite that odd fuzzing had missed.
Simply final month, an autonomous AI agent surfaced 21 memory-safety bugs in FFmpeg, one other extensively embedded C library. runZero’s level is blunt: if a principally off-the-shelf AI pipeline can discover these, so can anybody, so sitting on them quietly protects nobody.
The patching drawback is acquainted. runZero expects downstream fixes to take years, not days, and PixieFail is the precedent: a 2024 batch of 9 bugs within the network-boot code of EDK II, the firmware behind many PC and server manufacturers, that distributors had been gradual to patch. FatFs has the identical form and a weaker repair pipeline, as a result of there is no such thing as a responsive upstream in any respect.
Watch for 2 issues: whether or not the FatFs maintainer resurfaces with a patch, and the way the massive platform distributors that bundle it reply. Till they do, assume that loads of delivery units learn untrusted storage with code that has no repair behind it.

