Seven FatFs bugs put millions of embedded devices at risk — mostly unpatched
runZero disclosed seven CVEs in FatFs — the FAT/exFAT filesystem driver embedded across ESP-IDF, STM32Cube, Zephyr, MicroPython, ArduPilot and more. The worst, CVE-2026-6682 (CVSS 7.6), is an integer overflow during FAT32 mount that forges file-size metadata and can lead to memory corruption and code execution. Only one of the seven is fixed upstream (R0.16); with the maintainer unresponsive, most remain open.
runZero researchers disclosed seven vulnerabilities in FatFs, the lightweight FAT/exFAT filesystem library embedded across a huge range of hardware platforms: Espressif ESP-IDF, STMicroelectronics STM32Cube, Zephyr RTOS, MicroPython, ArduPilot, RT-Thread, Mbed, Samsung TizenRT and SWUpdate — reaching into consumer IoT, industrial controllers, drones and crypto wallets. As of the July 1, 2026 disclosure, no real-world attacks had been observed.
Key points
- CVE-2026-6682 (CVSS 7.6) is the headline bug: an integer overflow in core mount arithmetic yields attacker-controlled file-size metadata that downstream code trusts, leading to heap/stack overflow and possible code execution on real hardware.
- All seven CVEs rate Medium to High — none are Critical.
- Only CVE-2026-6684 (a GPT partition-scan DoS) is fixed upstream, in FatFs R0.16; pre-R0.16 builds remain vulnerable.
- runZero found the bugs using VS Code + GitHub Copilot in "auto" mode with basic prompts — no custom fuzzing or harnesses — surfacing issues missed in a manual 2017 audit.
- Repeated attempts to reach the maintainer and coordinate via JPCERT/CC went unanswered; the project has no security mailing list, leaving downstream vendors unaware.
- The team shipped proof-of-concept disk images, a test harness and a working QEMU-based exploit alongside the disclosure.