Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: fatfs (1 article)Clear

Seven flaws in the FatFs library expose millions of embedded devices, mostly unpatched

Researchers at runZero disclosed seven vulnerabilities in FatFs, a tiny filesystem library that lets devices read FAT and exFAT media like USB drives and SD cards and that is bundled into the firmware of countless embedded and industrial products. The most serious, CVE-2026-6682, is an integer overflow when mounting a FAT32 volume that can lead to memory corruption and code execution, and several bugs are reachable through firmware update flows, not just physical media. The hard part is patching: FatFs is maintained by a single developer who did not respond to the researchers, so most of the memory-corruption flaws have no upstream fix and downstream vendors may never learn they are affected.

Check
Inventory devices and firmware that bundle the FatFs library, especially anything that mounts USB, SD-card, or externally supplied filesystem images or accepts firmware updates, and ask vendors whether their products include FatFs.
Affected
Embedded, industrial, and consumer devices that bundle FatFs to read FAT or exFAT media (CVE-2026-6682 and six others); malicious media or update images can crash devices or corrupt memory toward code execution.
Fix
Where possible, restrict which USB, SD-card, and update-image sources a device will mount, isolate affected devices, and press vendors for firmware updates, since most of these flaws have no upstream fix.