Seven flaws in the FatFs library expose millions of embedded devices, mostly unpatched
Researchers at runZero disclosed seven vulnerabilities in FatFs, a tiny filesystem library that lets devices read FAT and exFAT media like USB drives and SD cards and that is bundled into the firmware of countless embedded and industrial products. The most serious, CVE-2026-6682, is an integer overflow when mounting a FAT32 volume that can lead to memory corruption and code execution, and several bugs are reachable through firmware update flows, not just physical media. The hard part is patching: FatFs is maintained by a single developer who did not respond to the researchers, so most of the memory-corruption flaws have no upstream fix and downstream vendors may never learn they are affected.
- Check
- Inventory devices and firmware that bundle the FatFs library, especially anything that mounts USB, SD-card, or externally supplied filesystem images or accepts firmware updates, and ask vendors whether their products include FatFs.
- Affected
- Embedded, industrial, and consumer devices that bundle FatFs to read FAT or exFAT media (CVE-2026-6682 and six others); malicious media or update images can crash devices or corrupt memory toward code execution.
- Fix
- Where possible, restrict which USB, SD-card, and update-image sources a device will mount, isolate affected devices, and press vendors for firmware updates, since most of these flaws have no upstream fix.